Apparent infection or trojan detected

[shelf life]

hi,

What i mean is I am still looking for malware on your machine-- as the cause that is for the problems you are having.
Not sure how you would restore the host file from within Dr web, there must be a way though. I will look. I know Spy Bot uses a custom host file and Spywareblaster may also. It may have moved these host file entries to quarantine.
Why dont you just re-immunize in Spybot and SpywareBlaster for now. I think that would re-apply any entries in the host file that may have been quarantined by Dr. Web

 

[jay_j]

Hi shelf life:
If it's OK with you..........I'm placing the host(s) issue on hold for now in favor of working on the primary problem(s).
What is our next logical step?
Regards,
j

 

[shelf life]

Lets go back to the Gmer log and get two files checked out. See if you can locate both of these .exe in the C:\WINNT directory. If so go to this site and browse for the files again on your computer. Upload them to the website using the send button.
You can post the URL for each file after the scan is finished.
C:\WINNT\system32\clipsrv.exe?
C:\WINNT\system32\MSTask.exe?

 

[jay_j]

recent GMER Log +

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-28 20:37:21
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xBEA02810]
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xBEA02840]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Threads - GMER 1.0.15 ----

Thread System [8:112] 88BA7930

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

--------------------------------------------------------------------
___________________________________________________________
Hi,
I've been unable to find the following things using "search for files or folders":

C:\WINNT\system32\clipsrv.exe?
C:\WINNT\system32\MSTask.exe?

I believe that there's another way to search. It's been a long time......I don't recall the correct method.
Regards

 

[shelf life]

To help show all files do this then take a look for them:

1. Double-click "My Computer".
2. Click the "Tools" menu and select "Options".
3. When the "Folder Options" multi-tabbed dialog box appears, select the "View" tab.
4. Uncheck "Hide protected operating system files".
5. Select the "Show hidden files and folders" radio button.
6. Press OK to close the dialog box.

 

[jay_j]

Hi shelf life,
Polite reminder: I'm using Windows 2000 professional.
Unless I'm misunderstanding.........The instructions you provided may be applicable to another operating system.

Following are pictures of what my "Folder options", "View" area looks like at two different points:

What's our next logical step?
Regards

 

[jay_j]

Forgot to ask

Hi shelf life,
Why would anything be hidden?
Are there any dangers or problems if we change the settings?

 

[shelf life]

I guess they are hidden so people dont go messing around with them. Why dont you select the SHOWALL, click apply then ok. See what that does.
If that works we can change it all back when done.

 

[jay_j]

Hi shelf life,
Busy-Sorry for the delay.
Thank you for your patience.

 

[jay_j]

Hi shelf life,
Busy-Sorry for the delay.
Thank you for your patience.
j

 

[jay_j]

Hi shelf life:
I followed your instructions.
Here's what I found: (Please note: These files are Not an Exact match for the file names that you mentioned. As you can see there's obviously no question mark in their names. I'm not an expert, However, these files that I located appear to be legitimate.)
clipsrv.exe
Internal Name: CLIPSRV.EXE
Company Name: Microsoft Corporation
File version: 5.0.2134.1
Description: Windows NT DDE Server
Type of file: Application
Size: 30.7 KB
Size on disk: 32.0 KB
Created: May 08, 2001
Modified: May 08, 2001
Location: C:\WINNT\system32
Copyright (C) Microsoft Corp. 1981-1999
____________________________________________________________
mstask.exe
Internal Name: TaskScheduler
Company Name: Microsoft Corporation
File version: 4.71.2195.6972
Description: Task Scheduler Engine
Type of file: Application
Size: 119 KB
Size on disk: 120 KB
Created: Tuesday, September 07, 2004, 10:59:06 AM
Modified: Tuesday, September 07, 2004, 10:59:06 AM
Location: C:\WINNT\system32
Copyright (C) Microsoft Corp. 1997
____________________________________________________________
PS. In the "Folder Options"-------> "View"........I put the settings back to:
"NOHIDDEN".

 

[shelf life]

ok. thanks for the info. Those files look legit to me. As they were flagged by GMER you could get them checked out just to be sure if you want to. You can go here, browse for the files on your computer then upload them using the send button.
When the scan is done you can post the http:// for each scan in your reply.

We are not finding any malware as the cause. Maybe its a conflict between the two, (tea timer,Spybots Immunize function and spywareblaster) I am not really familiar with either one. As a experiment why dont you try disabling one of them, reboot and see if anything improves.
Other software like Superantispyware might conflict also. If you see its icon in the system tray then it is running, try disabling its real time protection component also if it has one, it may not be included in the free version. If you dont see a icon for it then it has no real time component thats running. may only be a feature of the paid version.
in other words just use one active feature, Spybot, spywareblaster or superantispyware.
And not all 3 at once.

 

[jay_j]

Hi shelf life,
Thank you for the timely reply.
I did what you suggested in uploading the two files in question to Virustotal.com.........
Following are the results:

Re: clipsrv.exe
File FE1037CA103891207B4900E4A472D6009AFA0FAA.exe
File has already been analysed:
MD5: 804212b6b82354cf4f0c2d567575688a
First received: 2009.06.07 17:07:30 UTC
Date: 2009.06.07 17:07:30 UTC [>300D]
Results: 0/39
Permalink: http://www.virustotal.com/analisis/...a4e774fca086ac0cf47b5a60bd78efa783-1244394450

__________________________________________________
Re: mstask.exe
File has already been analysed:
MD5: b00529eae5d0ce97010b69cc677128c8
First received: 2009.02.26 02:44:29 UTC
Date: 2010.01.24 21:30:19 UTC [>68D]
Results: 0/41
Permalink: http://www.virustotal.com/analisis/...6e2f727675d7c5c1ce020371e634b37800-1264368619
_____________________________________________________________

"SpyBot - Search & Destroy"------> "Tools"------> "Resident"------> "TeaTimer" is checked.
There's also an icon (Near the clock.) on the Taskbar.
_____________________________________________________________
You wrote:

If you dont see a icon for it then it has no real time component thats running.

Please note: I don't see icons for "spywareblaster" or "superantispyware" programs on the task bar. Therefore, it appears that these other programs may possibly function via a on demand only method (Just to run scans when I click on them.).

 

[shelf life]

dosnt look like a malware issue. Open up FireFox and change some settings.
Iam in linux running version 3.5.8 but this should be close;

Edit>Preferences (maybe tools for you) under the privacy tab;
If you have check next to 'Clear history when firefox closes'
click on the settings button and make sure in the 'settings for clearing history'
under data that there is no check next to 'site preferences'

see attached

 

[jay_j]

Hi shelf life,
I essentially followed your instructions as closely as I could guess how to.
At first glance this has apparently helped or resolved part of the issues. However, I wonder what security holes I've opened up in order to accomplish this partial result.
____________________________________________________________
There appears to be a repeating problem as follows.

Spyware Blaster, Seach & Destroy
Restricted Sites Protection
Customize the block list
The following was found unchecked (in red):
"Item name: CoolWebSearch (3650) Address: hotfiles.com"

I checked the box next to: "Item name: CoolWebSearch (3650) Address: hotfiles.com"
Then I clicked on the "Protect Against Checked Items" button.
This appears to be a Temporary fix only. It returns quickly.
I also tried going through SpywareBlater's "Custom Blocking" section. I tried entering the name of the problem(s) However, I don't have the corresponding clsid number. I did a search online and there was more than one number mentioned - Which number is the correct number. There was also mention of a program called "CWShredder" Trojan Remover 2.19.

What is the exact clsid for CoolWebSearch hotfiles.com ?
Exactly which website has the exact clsid numbers?

 

[shelf life]

I think you may have tried this already but i will ask again. did you try disabling Spybots tea timer. I may not have posted these instructions. I dont think they should conflict with one another, its just a experiment. Iam not seeing any malware issues as the cause, at least not with the tools we ran.
Also malware usually presents itself with certain symptoms on a computer. Are you having any signs of malware on the machine? Did you check the Spywareblaster web site for FAQ/troubleshooting suggestions?

Iam not familiar with Spywareblaster and would suggest you stay with the default settings, use the link 'enable all protection' even though the settings are not staying set that way. Adding your own entries to the list wouldnt do any good without the correct CLSID number which ( i think) identifies activeX objects which can be used by web sites to 'interact' with Internet Explorer. I dont know of any way to find the corresponding CLSID.

To disable Tea Timer;
1.Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Check Spywareblaster for updates and re-enable all protection after the reboot. Cross fingers.

 

[jay_j]

Hi shelf life,
I'm in the midst of addressing a local (time sensitive) situation.
I'll return to this thread ASAP.
Thanks again for your understanding.

 

[jay_j]

Hi shelf life,
I managed to get a free moment. I accidentally came upon the following (see picture.) malware (after doing my routine update):

After seeing the (see above) results - I clicked on "Remove selected" and re-started the computer.
Regards,
J

 

[shelf life]

ok, since you 'remove selected' and restarted then that should have removed the files.

 

[jay_j]

Hi shelf life,
It appears OK at the moment.
Thank you.
j