PDA

View Full Version : Virus or Something that seems to be holding SpyBot at bay



helplessyank
2015-02-28, 23:58
For over a week, and with increasing severity, something has been taking over my computer (Dell, Vista). I have no logs or the like to post, because I now have to come into the office to be able to be online for over three minutes.

When I run SpyBot, it spends a lot of time going over the same Win32 stuff, sometimes multiple times, and then from the 38% mark it cycles through all the Virtumondes until after 100 percent, when it quickly runs through the Win32 and Zlob stuff again before finishing. It did this in 1.6, and then I upgraded to free 2.4.

It does different things at different times. Screen freeze, then just off most of the time; blue screen; automatic reboot in safe once; automatic reboot a bit more often; and a couple of times freezing on SATA 00: install, SATA 01: install, SATA 02: none, SATA 03: none...

If someone can assure me the pay versions will take care of this, I'll bite (if I can stay online long enough to download it). I've trade Malwarebytes and one of the other major ones, as well as my Norton, but to no avail. Any advice would be appreciated.

Thanks.

Zenobia
2015-03-01, 04:55
It does different things at different times. Screen freeze, then just off most of the time; blue screen; automatic reboot in safe once; automatic reboot a bit more often; and a couple of times freezing on SATA 00: install, SATA 01: install, SATA 02: none, SATA 03: none...
It is possible that this is virus related,but from the description you gave,it sounds more like there might be something wrong with your computer that might be non-virus related.(It is hard to tell sometimes.)Has there been anything else happening with your computer that might point to malware?

If you can still get in to your computer without a freeze/reboot,it might be worth having a look in Event Viewer,it might give some info about what is happening.
http://windows.microsoft.com/en-ca/windows/open-event-viewer#1TC=windows-vista
When you open event viewer,a list of events should be summarized:Critical,Error,and Warning.Try viewing critical events and see if it has anything listed around the times and dates when you are experiencing freezes,etc.Please post back about anything you find,etc.

helplessyank
2015-03-02, 01:20
It is possible that this is virus related,but from the description you gave,it sounds more like there might be something wrong with your computer that might be non-virus related.(It is hard to tell sometimes.)Has there been anything else happening with your computer that might point to malware?

If you can still get in to your computer without a freeze/reboot,it might be worth having a look in Event Viewer,it might give some info about what is happening.
http://windows.microsoft.com/en-ca/windows/open-event-viewer#1TC=windows-vista
When you open event viewer,a list of events should be summarized:Critical,Error,and Warning.Try viewing critical events and see if it has anything listed around the times and dates when you are experiencing freezes,etc.Please post back about anything you find,etc.

Well this has been my entire day. I can stay on in Safe Mode, but cannot get online even in Safe Mode with Networking. I was able to date the problems back--as I thought I would--to an update of the coverage area for my Verizon broadband modem. The device stopped working, I had to a reinstall, but the computer has been screwed since then. Almost immediately a few things began to happen: Microsoft Firewall activated on its own (I have unchecked it in the Config list). Beginning with that Verizon trouble, almost all logins go through a three part (or more) loop: instead of the standard 4648/4624/4672 sequence, it is doing it multiple times. Some of these have happened in the early morning hours when I have not been awake, and one time when I was at work (I live alone). During these there is often a quick 4904/4905: An attempt was made to register/unregister a security event source, usually VSSVC.exe.

The last events before the last three crashes involved DCOM TrustedInstaller coming on, followed by Windows Modules Installer.

It's not the disk: CHKDSK came through with flying colors.

I'm going home to run a sfc scan and a clean boot.

Zenobia
2015-03-03, 02:39
Sorry you're having so many problems.Trust me,I know what that is like when nothing is working. :)


Some of these have happened in the early morning hours when I have not been awake, and one time when I was at work (I live alone). During these there is often a quick 4904/4905: An attempt was made to register/unregister a security event source, usually VSSVC.exe.

This is the description for VSSVC.exe
http://www.bleepingcomputer.com/startups/vssvc.exe-17687.html

Please see here.Mind you,it is for a server:
https://social.technet.microsoft.com/Forums/en-US/44120884-8c09-44a1-ab50-90574fe210b9/suspicious-event-log-event-id-4905?forum=winserversecurity

Hi,

Windows logs this event, when an application calls AuthzUnregisterSecurityEventSource and thus provides an audit trail of applications that report custom security events. It is normal to see this event logged for several built-in components of Windows including IIS and DFS-R.

Then please see here:
http://www.sevenforums.com/system-security/194890-unauthorized-access-help-interpreting-event-viewer.html
And this post:
http://www.sevenforums.com/system-security/194890-unauthorized-access-help-interpreting-event-viewer.html#post1638499

So,from what I gather,it is possible that your computer might be logging on to make shadow volume copies.


The last events before the last three crashes involved DCOM TrustedInstaller coming on, followed by Windows Modules Installer.
Is there an error showing with that?1053?

How did the sfc scan go?

kathologist
2015-09-11, 23:35
My new Win10 HP laptop- New install of SBot never completing whitelist function- and preventing me from closing it and start it up at another MORE CONVENIENT time. It must be starting over in an endless loop. How do I safely shut down Sbot and find the files it's choking on?