Odd Behavior - Virus/Malware?

Dell Precision T3400; Win XP Pro SP3; NOD32

USing both Firefox and IE7, sites appeared as blank pages even though the correct URL showed in the Location Bar and the Status Bar. My home page is a resident HTML file with links to often used sites - this page displayed properly when either browser was opened.

Ran the IE connection diagnostic program which suggested a problem with my firewall (Comodo 3.14) which made me notice that its GUI link was not in the tray. Process Explorer showed cmdagent running, but cfp.exe was missing from the Comodo program folder.
NOD32's GUI, egui.exe, was also missing from the tray, but ekrn.exe was running okay.

Opened Control Panel to check a few things - nothing could be invoked because rundll32.exe was missing.

After a System Restore, FF and IE were able to display web pages.
Copied rundll32 from the system32\dllcache folder to the system32 folder. Control Panel apps opened okay.

Ran NOD32 full scan from the GUI interface as well as in Safe Mode from the command line. No problems found.
MBAM reported no errors.
SAS cannot start because of buffer overrun error.
Panda online scan wasn't able to even start downloading after 45 minutes
Cannot link to McAfee.com for online scan

Copied Comodo's cfp.exe and ESET's egui.exe from backup folders and put a shortcut to egui.exe in the Startup folder. On startup, ESET displays "Error communicating with kernel". According to ESET site, it's a Trojan and ESETIRCBotANRCleaner.exe can fix it, but it didn't ... twice.

If it's the Trojan ESET says it might be ("Win32/IRCBot.ANR is a trojan which modifies the behavior of network routers"), I don't have the foggiest idea what my PC is sending or what it's being used for.

Any suggestions?

Thanks,
EdP

 

check event viewer logs for errors, it might offer more clues. Remove and reinstall Comodo ( I would go for latest version 4) and remove and reinstall Nod32 again using latest version

 

Try scanning with Hitman Pro.

 

I'd suggest submitting a SysInspector log to an ESET representative who will assist you in analyzing it and removing potential malware.

 

Thank you all for the quick response to my post.

I decided to contact ESET before I started reinstalling apps. They requested a scan log as well as the Sysinspector log as Marcos mentioned.

I created and emailed the requested data - let's see what happens.

Thanks again,
EdP

 

The ESET scan and Sysinspector logs came up clean.

Seventeen days have passed while I attempted to fix each problem individually thinking it was caused by a single piece of malware. I updated and ran MBAM and NOD32 several times, but neither found anything. SAS Pro still would not run because of that buffer overrun in the SAS executable. I wasn't able to reinstall it either.

After all these days of tinkering and "fixing" a single problem at a time, SAS was finally able to update and run successfully yesterday, but I sure don't know why. It found 1,403 file threats in 38 Adware, 54 Trojan, 57 Malware, 207 Rogue, 15 Rootkit, three Dialer, and one keylogger categories!!!

All this from one infection? And why couldn't MBAM or NOD32 find them?

Everything seems to be working okay now*. I ran SAS twice since it cleaned the PC and it came up empty both times.

EdP

* Except an old sporadic boot problem has returned - "invalid work queue item".

 

If SAS did find ALL that then I would just go for an format of your HD.
Since cleaning out that much Malware doesn't always go well, and you might have more that SAS have missed.


And Yes it's really really strange indeed that NOD32 didn't react on any of those 1,403 malwares!!!

 

Swex ...

My primary physical drive has four partitions. At one point during this mess, I decided to restore an image of the C partition even though it was a few weeks old. I use Acronis True Image Ver. 8 (yes, I know it's old) whose User Guide recommends doing this in Windows.

When it reported that the partition to be restored was in use (surprise!), it rebooted and ran outside of Windows. In that mode, it reported that no hard drives could be detected.
Wunnerful.

EdP

 

Hello EdP,

Do you still need assistance and do you have a case number?

Thank you,
Richard

 

Should the problem still persist, run a complete disk scan with the ESET Online scanner.

 

Rmuffler & Marcos ...

Thanks for following up with me.

Along with a case number ESET's email to me advised me to uninstall ESET using their tool and to uninstall Comodo, then to reinstall both, which I did.

Soon after it appeared that everything was okay so I wrote back telling them, but it turns out that it's not so.

Unfortunately, I still have the recurring problem of a blocked network connection, ie, I cannot access the 'net, my other computer, or my wireless printer. After a couple of days, the PC will boot with complete access. Yesterday and this morning, I have access, but there's no telling when it will end or for how long.

Not sure if I mentioned this, but when I do have access, Windows update can download updates for my PC, but the install fails for every update (9).

In the meantime, I posted the problem at bleepingcomputer where I'm hopeful someone can diagnose the logs they requested. That was yesterday morning and since then that forum has received dozens of posts requesting help. It's a very busy place, so I'm not sure my problem will be looked at soon.

Thanks,
EdP
Marcos - thanks for the link to ESET's online scanner. I think I may have used that a couple of weeks ago, but I'll try it anyway.

 

Did you try Kaspersky Malware Removal Tool ?

 

>Did you try Kaspersky Malware Removal Tool ?<

I tried a few days ago, but their site indicated that the online scanner was currently unavailable. The link you provided offered an executable to download which I am doing.

Let's see what that finds.
Thanks
EdP

 

Online scanner is Java app which is only scanning but not removing threats( if they're found on targeted system). To remove any infection you need to download and execute AVPTool which I posted above.

Anyway if you need further help then you need use the 'Manual disinfection'(option into AVPTool) and PM me with complete log.

 

@EdP

If you want, you could also download Hitman Pro
and make a scan with it.
http://www.surfright.nl/en/downloads