2 strange issues

Discussion in 'ESET NOD32 Antivirus' started by iShiftyKient, Jul 9, 2010.

Thread Status:
Not open for further replies.
  1. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    Well, I've just bought+installed my ESET NOD32 Antivirus earlier today. Seems like a great AV compared to my previous one [symantec AV] OK, my first question is:

    1) Every time I browse anything on Google (literally anything typed e.g. '125456' or 'you tube') (tested with both Firefox + ie8 ), It always says something about an ip address blocked with a long name consisting of numbers+letters. Is this completely normal? If not,what can I do to gt around this? :\

    I wasn't sure where to post this issue, since i'm new to these forums :(
    2) Just a few hours after I installed ESET NOD32 Antivirus, my keyboard doesn't seem to work (except the keys above the esc - f12 row,which are search, play, pause, stop, fast forward, rewind,vol + and -, mute). When I have a look at keyboard properties,It shows this: "Windows cannot load the device driver for this hardware because a previous instance of the device driver is still in memory. (Code 38 )

    Click Troubleshoot to start the troubleshooter for this device."


    I've already followed troubleshoot, restarted comp numerous times & tested the same keyboard on another comp - which works fine on?

    Now i'm currently using onscreen keyboard to type this thread sadly :(

    Anyone have a solution to either of my problems?? Please help :)
     
  2. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    i dont think those issues are related to nod32. did you uninstall symantec before installing nod32? run their uninstall tool anyway
     
  3. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hello and welcome to Wilders:)

    Regarding issue 1.
    It does sound similar like the issue in this thread if it indeed is a LONG line of letters and numbers.
    https://www.wilderssecurity.com/showthread.php?t=276745
    Look at the image in the thread and tell us if the long line of letters/numbers looks similar?
     
  4. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    Yes, I've uninstalled symantec AV before installing ESET NOD32 Antivirus.

    So I should still use that removal tool anyway?
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    No

    Then you will need to uninstall Nod32, install Norton use the Uninstall Tool for Norton, then re-install Nod32 again.

    Did you check the image in the other thread as I mentioned?
     
  6. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
  7. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hmm.. I made a Google search on the IP shown in your pics, and the search showed some users had seen this before in posts over at the Mbam forum for example. Wich led to that the user made a scan with Mbam (Malwarebytes) wich said that the user was infected.

    So I strongly recommend you to download Malwarebytes and run a quick scan, and tell us the result please.
     
    Last edited: Jul 9, 2010
  8. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    OK, I'll go download it asap and post results.

    Meanwhile, anyone got a solution for my keyboard?? I hate using on-screen keyboard ><
     
    Last edited: Jul 9, 2010
  9. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    Finished Malwarebytes' Anti-Malware full scan, results were:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4296

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    10/07/2010 12:52:26 AM
    mbam-log-2010-07-10 (00-52-26).txt

    Scan type: Full scan (A:\|C:\|D:\|E:\|)
    Objects scanned: 175979
    Time elapsed: 21 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    Now what do I do? :\
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You are infected with Olmarik. The most effective way for removing rootkits is by booting from a clean media and running a full system scan with the on-demand scanner. You can either create a rescue cd or slave the disk and use ecls to perform a scan.
     
  11. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia

    Marcos, how exactly do I do those steps - I'm still new to ESET NOD32 Antivirus :(
     
  12. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  13. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    I ran that removal tool, it said 'Win32/Olmarik was not found on your system?

    Edit: I just woke up & restarted comp, the eset popup isn't showing anymore, thanks everyone :)


    Still need help with issue 2 at the moment... Can anyone confirm if my 2nd issue is eset related or not?would really appreciate it!
     
    Last edited: Jul 9, 2010
  14. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi again.

    Well it's quite weird that the infection is just gone like that:doubt:

    I would advise you to make a scan with Hitman Pro.
    Wich is a cloud based antimalware application, wich includes 6 AV engines.

    So please make a scan with Hitman Pro just to see if any of the 6 engines picks something up. If not then you are probably safe, it's better to be sure you know;)

    Download Hitman Pro here: -http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html-
     
  15. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    Hey SweX,

    I'll give that Hitman Pro ago tomorrow, i don't got time to download+run a scan tonight (tired as anything)

    Thanks for the post. Appreciate it. :)
     
  16. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Great to hear that you will give Hitman Pro a run.
    Well sweet dreams then, let's see the HMP results tomorrow;)

    And you are most welcome since we are all here to help and learn from each other:)
     
    Last edited: Jul 10, 2010
  17. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    OK, i've ran Hitman-Pro & found a few results as shown:




    - <Log computer="RAVI-872EE720DB" scan="EWS" version="3.5.6.106" date="2010-07-11T14:47:36" timeSpentInSecs="127" filesProcessed="15792">
    - <Item type="Repair" score="0.0" status="None">
    <File path="$tdl3.sticky" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[6].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[8].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@atdmt[10].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@atdmt[9].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[5].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[6].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@CA7SGFIJ.txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@CAA8EMKY.txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@CAACOPBG.txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@CAR24VJE.txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@CAWHAHC3.txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@CAWZGNAF.txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[6].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@serving-sys[11].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@serving-sys[9].txt" />
    </Item>
    - <Item type="Repair" score="0.0" status="DeleteFailed">
    <File path="C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[3].txt" />
    </Item>
    - <Item type="Suspicious" score="23.0" status="None">
    <File path="C:\Program Files\Garena\Garena.exe" hash="ACA41FB5B403F224006DBEB99CCC08E7200582F4F2D5B6495CA330F0A4CCB3D5" />
    - <Startup>
    <Key path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Garena\Garena.exe" />
    </Startup>
    - <References>
    <File path="C:\Documents and Settings\Owner\Desktop\All Games\Garena.lnk" />
    <File path="C:\Documents and Settings\Owner\Start Menu\Programs\Garena\Garena.lnk" />
    <Key path="HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Garena\Garena.exe" />
    <Key path="HKU\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Garena\Garena.exe" />
    </References>
    </Item>
    - <Item type="Suspicious" score="48.0" status="None">
    <File path="C:\WINDOWS\system32\DRIVERS\kbdhid.sys" hash="09491907029C3CB72CB27E17B2AB83DE4FEA99D03F6F24702D7A8B91B7872BCC" />
    - <Startup>
    <Key path="HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\" />
    </Startup>
    </Item>
    - <Item type="Suspicious" score="33.0" status="None">
    <File path="C:\WINDOWS\system32\msinet.ocx" hash="7A5D170D7DB383DA5E6EABE2F92502E0FC988F1A42751F3F1DAB04584153EF44" />
    </Item>
    </Log>
     
  18. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    I'm not sure but it sounds like you got infected with Win32/Olmarik rootkit. This is a very nasty malicious code. You should read this ESET's KB article. If you will find that this thing is not applicable for you, then I should advice you to use:
    1. Rootkit.Win32.TDSS Killer - -http://support.kaspersky.com/downloads/utils/tdsskiller.zip-
    2. Download and run Kaspersky Virus Removal Tool.
     
    Last edited by a moderator: Jul 11, 2010
  19. iShiftyKient

    iShiftyKient Registered Member

    Joined:
    Jul 9, 2010
    Posts:
    16
    Location:
    Australia
    Late reply.. mum was using the computer

    Anyways, Thanks for all the help guys, I ran the Hitman-Pro second time, but this time used the 30-day free license option to remove all found threats. Funny enough, it picked up a malicious driver on my computer that was crippling my keyboard from working (which is working properly now thanks to this) & also the ESET IP-Blocked pop-ups are gone now.Thanks to everyone for the help that you guys provided me. =D
     
  20. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    that's great. Can you provide me(via PM) a removed driver(kbdhid.sys) ? ;)
     
  21. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    G,day!

    Great that Hitman Pro worked and founded some nasties as I thought it would.
    Also good that HMP was able to fix your infected Keyboard driver.:cool:

    Take care mate, and if you get any more issues further down the road just start a thread here at Wilders:thumb:
     
Thread Status:
Not open for further replies.