Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C drive not showing up in Device Manager, can see it in Explorer


  • This topic is locked This topic is locked
21 replies to this topic

#1 MartinRSA

MartinRSA

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 22 June 2010 - 12:42 PM

I have the following issues:
1) When I tried to Copy Drive using Casper 5.0 (I have identical drives, C is the main drive, D is a mirror of C in case C fails which has happened before) C drive could not be found.

When looking under Administrative Tools, Computer Management
It is missing if looking in/under:
Device Manager
Disk Management

It can be seen underDisk Defragmenter

I can find it in Explorer/My Computer

When right clicking on Drive C, then Properties and then looking under the Hardware tab, then clicking Properties, then Volume (and populate) only Drive D comes up. Same if I do this starting with Drive D.

At the same time I noticed that I now also have the Google Redirect 'virus' - redirects seach results to other arbitory sites.

Are these two issues somehow linked?

Other things I have noticed:
Both drive C and D don't have a name anymore. I usually call them Martin HDD.
I often look at Windows Task Manager to check what's running, why the computer is slowing down, under Processes I have noticed svchost.exe Mem Usage is very high recently - between 100 to 250,000 K and is often the highest (even with no search engine running I use IE8). I've cannot recall seeing this on a regular basis before.

After updating Norton Internet Security from 2009 to the 2010 version that I am continuously warned about unauthorised attacks from various sites, many with .asia extensions.
Today I did a Norton Quick scan and it found a virus called svchost.exe and deemed it to be a Trojan Horse. It has been quaranteed, no change though even after rebooting.
I did a Microsoft Security Essentials scan, nothing.

I downloaded D.D.S., see below and attached.

Thank you
Martin

DDS (Ver_10-03-17.01) - NTFSx86
Run by Martin at 13:24:04.09 on Tue 06/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.941 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Documents and Settings\peter Li\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\peter Li\Desktop\dds.scr
============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=2080502
uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Iomega Automatic Backup Pro] "c:\program files\iomega\automatic backup pro\LiveSystem.exe" -s
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [RIMDeviceManager] "c:\program files\common files\research in motion\rimdevicemanager\RIMDeviceManager.exe" -RunServer
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\peterl~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\peter li\application data\dropbox\bin\Dropbox.exe
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {0981D991-BE52-4CE5-B2FC-0A38CE6999DA} = 192.168.1.1
TCP: {CE84FC38-A453-48A9-9182-6EB01E36079C} = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2008-7-4 25344]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-20 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-20 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100522.001\BHDrvx86.sys [2010-5-22 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-20 501888]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKslff9d18e1;MpKslff9d18e1;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{46325149-4f4a-4bc3-88d2-e6c9e304d2bb}\MpKslff9d18e1.sys [2010-6-22 28752]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-20 116784]
R2 altio;altio;c:\program files\altium designer 6\system\drivers\altio.sys [2008-5-12 3200]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-20 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100617.005\IDSXpx86.sys [2010-6-22 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100621.038\NAVENG.SYS [2010-6-22 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100621.038\NAVEX15.SYS [2010-6-22 1347504]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 gupdate1c9f670735dbb64;Google Update Service (gupdate1c9f670735dbb64);c:\program files\google\update\GoogleUpdate.exe [2009-6-26 133104]

=============== Created Last 30 ================

2010-06-22 13:44:44 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-17 21:39:53 0 d-----w- c:\windows\system32\NtmsData
2010-06-02 03:04:47 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-01 19:56:27 0 d-----w- c:\docume~1\peterl~1\applic~1\0BB7388EFF7A8B689B20996893AFB38B

==================== Find3M ====================

2010-06-22 16:18:57 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 16:07:05 256 ----a-w- c:\documents and settings\peter li\pool.bin
2010-05-17 18:52:13 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-17 18:52:13 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-17 18:52:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-17 18:52:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2003-06-19 15:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll
2008-10-27 19:45:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat

============= FINISH: 13:24:58.07 ===============
This computer is used for email and searching for suppliers / components used in our products.

EDIT: Moved from XP to Malware Removal Logs forum ~ Hamluis.

Attached Files


Edited by hamluis, 22 June 2010 - 12:58 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 28 June 2010 - 05:49 AM

Hi MartinRSA,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 28 June 2010 - 02:57 PM

Hi Farbar,

The condition is unchanged.
I still cannot see C: drive (my boot drive) in Device manager (which means I cannot do a mirror copy with Casper or back up to another disk using a back up program), but I can see it in Explorer.
I still have the Google Redirect issue, but in the meantime I manage it by cleaning out the temp folders / deleting all history, cookies etc. regularly and I have changed permission for 3rd party cookies to blocked (used to be prompt). It works normally for a while and then it suddenly redirects which prompts me to delete all history again. I only allow cookies of sites that need it to work, i.e. banking and I would previously allow the cookie with the primary site address of various sites that look clean etc..
More info: I've had a look at all other computers we have at the office, all running Windows XP service pack 3. Some have two users, some only one. Mine had two users (I created another user with password as a backdoor in, experience from a previous crash episode when I could not get into the main user account).
The major difference between my computer and the others are that all my drives are now shared as C$, D$, H$ and the number of users allowed is maximum (C is the boot drive, D is the mirror copy of C, H is my external USB backup drive). It is not my habit to share any of my drives. so this is new. The only share I do is through the shared Documents folder. If I follow the microsoft recommended method of removing the share it simply comes back after rebooting.
I have found a thread in social.answers.microsoft.com with the same problem, but this person runs Windows 7.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 28 June 2010 - 03:59 PM

Thanks for the feedback. We have some work to do.
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either xxxx or xxxx.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    Note:
    In case malware prevented the mbam-setup.exe file from installing rename it to something.exe

    In case malware prevented it from updating or running using Windows Explorer (right-click start > Explorer) navigate to the following folder: C"\Program Files\Malwarebyte' Anti-Malware
    Locate the file mbam.exe and rename it to clear.exe then double-click to run it.

    In case the Malwarebytes exe gets deleted by the malware (Code 2 error, mbam.exe not found) download a randomized renamed mbam.exe version from here.
    Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder and run the renamed file from there directly instead of using the shortcut.

  3. Run GMER, uncheck all boxes but let the box next to Sections and C drive remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.


#5 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 28 June 2010 - 04:27 PM

Hi Farbar,
Re the google redirect issue
I noticed the following today after a Google search - when clicking on one of the sponsored links that come up immediately below the search box it re-directed search results there-after (I did not accept the cookie) on the active tab. Once I closed the tab the re-directing stopped.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 28 June 2010 - 04:36 PM

Thanks for the feedback, but it is not really needed at this moment. We don't need to investigate the redirection behavior and don't need to guess. We have scanners to tell us the type of infection and we have to take care of the infection as quick as possible. smile.gif

Edited by farbar, 28 June 2010 - 04:37 PM.


#7 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 29 June 2010 - 01:08 PM

Hi,
I have removed Windows Essentials. I recently added it as on one or other forum the claim was it can find malware that Norton cannot. I have downloaded Malwarebytes and GMER a few days ago after reading through your Malware forum and ran it. Nothing came up. Updated and ran it again today. See below.
When I run GMER it causes a problem with the computer, once had a blue screen, today it just hung. So, I'll send this log first and then close everything and run it and send the results afterwards.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 1:38:49 PM
mbam-log-2010-06-29 (13-38-49).txt

Scan type: Quick scan
Objects scanned: 148895
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 29 June 2010 - 01:22 PM

How do you run GMER and at what stage it gives you a blue screen? Do you disable antivirus prior to running and disconnect from internet?

#9 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 29 June 2010 - 01:52 PM

I disable my network connection and Norton Internet security then run it.
the first two lines are
? symds.sys fiel not found
? symefa.sys file not found

I thought that might be something to look at, but they are present under C:\WINDOWS\system32\drivers\NIS\1107000.00C and they are Symantec files.

This is the message on the blue screen in case it means anything:

[RQL_NOT_LESS_OR_EQUAL
***STOP: 0x0000000A (0x0000000F771, 0x00000002, 0x00000001, 0x80701A8E)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 29 June 2010 - 02:36 PM

QUOTE
at what stage it gives you a blue screen?

I would like to get specific feedback about this question.

So you double-click GMER, it shows two lines and then crashes without giving you the option to select any option or press Scan?

Why should we look at the path to NIS? What has that to do with running or crashing GMER?

The message doesn't help. It would help if you describe all the steps GMER goes through or you do. Did you follow my instruction on how to run GMER? Please be specific.



#11 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 29 June 2010 - 03:15 PM

Farbar,
You're instructions were followed. I did not detail every step. I select Sections and Files + C: then run it.
It runs for a few minutes then I get a blue screen. This has happened twice now.
3rd time it is running OK now and I've written down what has come up on the screen so far just in case it blue screens again.
You said: Why should we look at the path to NIS? What has that to do with running or crashing GMER?
Well, I gave you what I saw on the screen before it crashed, that is all, without knowing it was Norton at the time. As said in my original posting, the most recent software change to this computer is updating to NIS2010. If you think it has nothing to do with it, that's good.

Hopefully I can send you the GMER info soon. If it 'bluescreens'
I'll try to write in detail what came up on the screen.

BTW, I have found another person with the same issue that runs Windows 7. http://social.technet.microsoft.com/Forums...eb-931efd17813f

#12 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 29 June 2010 - 03:17 PM

The full site address did not come up. This guy appears to have the same issue. There is some details in this thread.
http://social.technet.microsoft.com/Forums...eb-931efd17813f

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 29 June 2010 - 03:33 PM

Please no need to send me links or any extra info. I'll ask if I needed any info. The infection is known and I try to get feedback from you without redoing and you have done a great job providing the feedback. Even if GMER crashed again we have other options, please just don't go around for solution and stick with me on this and I'll guide you through it.

#14 MartinRSA

MartinRSA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 29 June 2010 - 08:53 PM

Farbar,
Sure, I won't pass along any more info. Glad to know it is a known infection.
Note that I have been trying to find a solution for a number of days prior to your first response, so just passing along what I have seen that appears to be closest to what I have. So far everyone seems clueless as to the reason. I'll pass the GMER info tomorrow once back at my office.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:59 PM

Posted 30 June 2010 - 06:50 AM

MartinRSA,

You have an infected computer and the drive issue, they might be related but we will find out when we remove the infection and you have a clean computer. That is the logical order. So unless the computer is not clean and the malware interference is not ruled out I don't put much effort on the rest.

You wrote this earlier:

QUOTE
3rd time it is running OK now and I've written down what has come up on the screen so far just in case it blue screens again.

I don't quite understand why you didn't post the info and should be back at office to post the log. Is this a company computer and you ran the scan at office, forgot to post the result and you can post it when you are back?







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users