Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely Hard To Detect Virus


  • Please log in to reply
9 replies to this topic

#1 agentwd40

agentwd40

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 04 March 2008 - 10:05 AM

Let me just say beforehand saying thanks for taking the time to help me with this. I don't know how I picked it up, but somehow my computer has gotten infected with a nasty virus, malware, spyware or all of the above, and I would really appreciate some help getting it/them off. Hopefully the following info will help.

My Computer: I'm running Windows XP (with SP2). I have Norton Antivirus 2007 and Spysweeper. I also have been using lately PC Tools Spyware Doctor. My firewall is Zone Alarm. I use Firefox most of the time, unless the site I visit says that it only permits IE Explorer. By the way, all of the above have been updated, including Windows and Office.

The Problem: It started last Friday (February 29th). My Spysweeper program starting popping up saying that the Internet Communiations Shield was blocking an attempt to connect with a bad site. This was happening like once a second or more. To give you an idea how aggressive it is, since Friday the Shield has blocked a total of 84, 646 attempts and counting. I started to notice that when I restart the computer, the attacks start and go through a list of websites in alphabetical order, one after another. This continues for about 4-5 minutes and then it quiets down. However, the attacks continue silently I guess because little by little the count on the shield keeps going up as long as I have the computer on, but I don't get any Spy Sweeper notification popups. I can go on the internet and my browser has not been hijacked and it seems I can do what I need. One thing I've already learned on this forum is that I've been making a big mistake. I've been logging on as administrator when I go on the web. So I've stopped doing that.

What I've done already: I've cleaned out my temporary files, temporary Internet files and Recycle Bin. I've scanned my computer off-line with NAV, Spysweeper, Spyware Doctor, Lava AdAware SE Personal; AVG Ani-Rootkit Free; McAfee Stinger, and F-Secure Blacklight (Free download). I've also done an online scan using both Panda and House Call. The online BitDefender would not let me update the scan tool, so it said the scan might not be accurate, so I opted not to take the time to do that one. All of them say my computer is clean of viruses. I decided to remove anything that might be leaving an opening into my computer. When I uninstalled the Southwest Ding application, Spysweeper caught and quarintined the Adware program webhancer trying to install itself. This did not end the attacks described earlier. I also uninstalled a Firefox add-on for Weather.com. Apart from that one I have other add-ons which I have not uninstalled. In one sweep, Spyware Doctor caught and quarantined Worm.Nimda and said there were 24 infections. Apart from those, nothing else has been detected.

Other observations: I don't know if these things mean anything or not, but I'll mention them anyway.
1) While running Spyware Doctor, it will often hang up whether I'm doing the full scan or the Intelli-scan. I noticed the files that hung it up were the following: temp/mep??.tmp . Also internet explorer plugin auto update property sheet extension. Also the following system files: windows/systems32/davinci.scr; windows/systems32/stacgui.cpl . Again, I don't know if this is a coincidence, but it's done it several times on each of the ones mentioned.

2)Another strange thing: Norton AV will no longer do a correct scan on my Administrator profile. It does about seven thousand files and then locks up, when normally it scans about 400,000+ files. Just for fun, I tried doing the full scan on another profile and it worked. It went all the way through and just found some common low-level tracking cookies.

3) I've had things from different programs pop up from programs or things that I was not working on or did not initiate. Again, I don't know if this is just a coincidence and I'm just getting paranoid or if it's connected with my problem. For instance, after one restart, a language bar thing appeared on my desktop. When I clicked help to see why this was happening it said " Appears automatically when you add handwriting recognition, speech recognition, or an input method editor." Another time the Garmin Webupdater (for a Garmin Nuvi that I have) appeared out of nowhere and gave me this message: "Please re-run WebUpdater from the command line and specify the directory containing the update files as a command-line parameter."

One more thing: To complicate matters a little more, I recently updated my Bios and in doing so, turned off Windows System Restore. I forgot to turn it on again right away, and when I remembered had already had the problem, so at this point my Windows Restore is still turned off.

So there you have it. I've gotten myself into a mess somehow. I hope you can help me track down this nasty little virus. I have HijackThis, and can post it if you would like or anything else that might help.

What should I do next?? Thanks again.

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:08 PM

Posted 05 March 2008 - 02:35 AM

Hello agentwd40 and welcome to BC :flowers:

First, I would re-enable your System Restore. Having an infected restore point to fall back on is better than having no restore point to fall back on.

Second, I would like you to run a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode. You may wish to print out these instructions or copy them to notepad as you will not have internet access while in safe mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 agentwd40

agentwd40
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 06 March 2008 - 08:12 AM

Thanks for the welcome Orange Blossom and also for the quick reply.

Here's the latest on my problem. Yesterday, when I started my computer to go online and download SUPERAntispyware, NAV was discapacitated and when I pressed FIX it would not help the problem. Also there was a box that popped up that said the following:

DSCA.EXE
Common Language Runtime Debugging Services
App has generated an exception that could not be handled. Process ID=0xaa8(2278), thread id=0xe74(3700)
Click OK to terminate the app
Click Cancel to debug the app

I clicked OK to terminate it. Finally after I think two more restarts NAV started working again, and I could go online to download and update SUPER.

I ran it last night and it found one thing. I restarted my computer but it hung up on the reboot. There was a black screen and the message:

(xldr) ATA error

So I hit the off button and manually restarted it. On the first restart, instead of going into my administrators profile, I went into the other one. When it opened there was another box (Import Wizard) that popped up that said the following:

Import Settings and Data
Import Options, Bookmarks, History, Passwords, and other data from...
(It then gave me a choice) Microsoft IE or Don't Import Anything

I chose to not import anything. I then went into SUPER and looked for the log as you instructed but there was no log. So I went to the Quarantine Section and this was the only thing found:

An Adware cookie: C:Documents and Settings\Anita\Cookies\anita@updates.liquiddigitalmedia[2].txt

I ran SUPER again and this time it came out clean.

When I restarted my computer the original problem has continued. By the way, since my last post I was able to scan my whole drive again with NAV and it came up clean.

It seems now when I go out of Safe Mode and try to restart, the same thing happens. I get a black screen with the message:

(xldr) ATA error

But I can then shut off the computer manually and restart it without problems.

Is there something else I can do??

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 06 March 2008 - 09:49 PM

Hello I personally think this is a motherboard issue. Perhaps a flash of the bios. This is a common problem with Dell's.
You should take this issue up top in the XP forum and have them recommend what and how.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 agentwd40

agentwd40
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 07 March 2008 - 08:12 AM

Hello boopme. Could you give me a little more explanation please?

Everything is working on my computer for the most part. I can open documents and programs without any problems. What is worrying me is that when I restart the computer Spysweeper is blocking a barrage of attempts to connect to all different types of suspicious websites; anything from games4all.biz, gosysystemdoctor.com, and hitscount.net to porn sites. Other than that, my computer is working normally and starts and restarts all right.

Would that be related with my recent BIOS update, and if so how? Thanks!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 07 March 2008 - 09:23 PM

Hi it is a bit difficult to say for sure as it looks to me as if your Firewall is blocking what it should. In other words doing its job. I don't like what is attacking you as they are known malwares. We may still post a HJT log but first. Did you run the superantispyware scan and run it from safe mode. IF so could you post the scan log. If not would you please do that. Just a guess but I smell a rootkit.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 agentwd40

agentwd40
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 07 March 2008 - 11:02 PM

Yes, I did run SUPERAntispyware in SAFE Mode.

The scan finished and found one tracking cookie, but when I tried to restart my computer it froze. There was a black screen and the message:

(xldr) ATA error

So I hit the off button and manually restarted it without any problem. I then went into SUPER and looked for the log but there was none. Apparently it got erased when my computer froze up and had to be restarted. So I'm not able to post a log for that reason. I then went into the Quarantine Section of SUPER and this was the only thing found:

Adware cookie: C:Documents and Settings\Anita\Cookies\anita@updates.liquiddigitalmedia[2].txt

I ran SUPER again after that and that time it came out clean. However, when I restarted my computer the original problem has continued.

By the way, I also ran Spy Sweeper in SAFE mode and it did not detect anything either.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 08 March 2008 - 06:46 PM

I still feel this is non malware related. I would go up top to thi=ose forums and seek Master boot record issue spmething.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 agentwd40

agentwd40
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 08 March 2008 - 07:03 PM

I can do that, boopme. I'm just not sure where to post it as this is my first time using these forums. Would it be good to post under the forum Windows XP with that type of an issue, or another one??

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 08 March 2008 - 07:09 PM

That's OK as I not certain whether it's the hardware or software,Start it in the XP forum and if they determine it to be better elsewhere they will move it for you. Go with the (xldr) ATA error issue.
Good Luck
boopme
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users