[Inactive] Infected With TDSS Rootkit

[Hoov]

Setup programs for some malware scanners do popup as infected to other scanners. That appears to be what you saw with this scan. Are you still having any other problems at all?

[soupman]

Have not really had any other problems. For the most part it has been running really well, except for kind of a funky restart last week and a total lockup today. When I tried start>turn off computer>restart(or turn off) I got no response. After a hard reboot it's ok so far. Otherwise has been real good.

I ran the boot scan again and let it finish this time...

09/01/2011 16:40
Scan of all local drives

File C:\Program Files\EarthLink Setup\Windows\access\SpywareBlocker.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP106\A0015460.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>animation\insertpaper.gif Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>animation\parallelcord.gif Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>animation\powercord.gif Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>animation\prepink.gif Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>animation\usbcord.gif Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>images\printer_image_faded.jpg Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>images\tw_buttonslights.jpg Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}
\RP68\A0012240.exe|>images\tw_singleenvelope.jpg Error 42125 {ZIP archive is corrupted.}
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP68\A0012240.exe|>images\tw_transparencies.jpg Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 9930
Number of tested files: 462407
Number of infected files: 2

I sent you my last boot scan in my Reply #99 and we addressed all that successfully. This is all new.

[Hoov]

Please do a search on your drive for ElShowSpyAbout.exe and tell me what folder it lives in. The zip archives being corrupted could be false, and the first line is probably another false positive. Both problems appear to be using the UPX file compression utility, so they are probably both false positives. As for the two problems with startup, they happen occasionally to everyone.

Let me know about that file, but it sounds like we are all done, unless you have any other questions, or concerns.

[soupman]

Search says it doesn't live anywhere. No file by that name.

Are false positives common in boot scans? I'm not used to running them. Have only run it twice since I got Avast (and it gave me the option) and both have turned up the stuff you've seen.

All other scans still coming up clean.

Had one more lockup. It's comforting to know they happen occasionally to all but they're the first for me since you fixed me all up.

[Hoov]

False positives are not real common, but common enough so that they are not unusual. The file I asked about is actually in the file SpywareBlocker.msi. I was hoping that it was part of an installed program that it would show up. Are you connecting thru Earthlink?

The last lockup that you had, did it last long? Did you have to reboot? Do you remember what you had running that does not start with windows?

[Hoov]

soupman, still with me?

[soupman]

I have never been connected thru Earthlink. I've always had a cable connection. In add/remove programs it has "Earthlink setup files" with no size. In program files there is an Earthlink setup folder with all the goodies in it. I believe it was pre-installed when I bought the machine. Any reason why I shouldn't remove it?

Have had no more lockups since last post. To answer your question, it just stopped both times. My normal two programs and three tabs and they just froze. Let it sit for awhile to see if would catch up with itself but it didn't. If I remember correctly, Ctrl>Alt>Delete said not responding but would not shut down. Mouse still worked but couldn't make anybody go. Had to shut it down and restart.

I don't believe I had anything running that doesn't start with windows although I have to admit I'm a little foggy on what an example of that would be.

Scans are coming up clean.

[Hoov]

The Earthlink items, if you are not using them, I would give them a punt. Also, and I am assuming that you have not done so, go thru the Add / remove programs list and uninstall anything you are absolutely sure you are not using. If you don't know what it is, or if you use it go ahead and ask. This is the drawback to buying systems that are preconfigured. They come with a boatload of software that will never get used.

As for the lockup, it is very possible that there was no real cause. It happens to everyone occasionally, just as everyone occasionally gets a BSOD.  As long as it only happens a couple times a year, there is no need to worry about it. If it happens every day, there is something wrong.

How has the computer been running?

[soupman]

The computer has been fine, other than what I've described.

New glitch...was away for a few hours, with normal things open on the machine, and when I came back Firefox had gone into safemode (by itself). That's new.

What is not new is that I closed everything and tried to restart but start>turn off computer>restart was unresponsive. Had to shut it off to restart and back to normal today, so far. Other than when I reported the same thing to you on Sept 6, I don't remember ever having seen this before.

Deleted Earthlink and a monster, preloaded Quickbooks program (600 mg) and am working on a list of questions for you.

Thanks for the help, Hoov.

[Hoov]

Do you have your computer to go to sleep or hibernate when you walk away from the machine?

As for the FireFox problem, I am not sure how that is happening, because to get into safe mode you actually have to click a button. Does Firefox start in safe mode if you just click the shortcut?

[soupman]

Yes, have had it set to hibernate after 2 hours for years and never been a problem.

According to Firefox Help, the only ways to get into safe mode are two step processes which I know I didn't do. Is there a "shortcut" they don't mention?.

Had a third lockup right after my last post to you.
1. Shortly thereafter, Firefox had me install an update that it said was to address "stability issues".
2. I read the standard instructions you guys have given to other posters, when first using Ccleaner, and realized I had never done it that way. So I checked all the stuff I'd never checked before and ran it.
3. Reviewed basic hd maintenance and realized that IF I had ever run the "error checking" (chkdsk) function from My Computer, it had been many years. Ran it to completion. (It took eight hours.)

Performance is noticeably better and no stability issues in last 48 hours. Wadayathink?
 

[Hoov]

Well I had not thought of that, you said that you had run ccleaner, so I figured all was well on that front, and I would not have thought of running chkdsk, as your problems seemed to come and go.

When was the last time you ran a defragmentation routine on your harddrives?

[soupman]

That was my next step. I have run defrag in the past but not for quite awhile. It has always worked fine.

This time analyze said, yes, time to defrag. Got to about 20%+ and quit. Defrag screen went to greyed out with no error message. I had nothing else open. Closed out of defrag and found myself in the same situation I've been describing. Mouse works but all else on the desktop is more or less unresponsive. Had to shut down. Again, I can get to restart but it won't go.

Googled this and found lots about defrag stopping, slowing or freezing but nothing about going to a greyed out, default defrag screen.   

I have lots of free space and there were no power problems. I thought I'd run this by you before I tried it again.

[Hoov]

Try rebooting windows cleanly using the instructions below, and then running the defrag that way.

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Once you are done running the defragmentation routine, run msconfig and select normal startup then click apply then OK and reboot the computer.

Let me know how that goes.

[Hoov]

soupman, do you still need help?