2 strange issues

Well, I've just bought+installed my ESET NOD32 Antivirus earlier today. Seems like a great AV compared to my previous one [symantec AV] OK, my first question is:

1) Every time I browse anything on Google (literally anything typed e.g. '125456' or 'you tube') (tested with both Firefox + ie8 ), It always says something about an ip address blocked with a long name consisting of numbers+letters. Is this completely normal? If not,what can I do to gt around this? :\

I wasn't sure where to post this issue, since i'm new to these forums
2) Just a few hours after I installed ESET NOD32 Antivirus, my keyboard doesn't seem to work (except the keys above the esc - f12 row,which are search, play, pause, stop, fast forward, rewind,vol + and -, mute). When I have a look at keyboard properties,It shows this: "Windows cannot load the device driver for this hardware because a previous instance of the device driver is still in memory. (Code 38 )

Click Troubleshoot to start the troubleshooter for this device."


I've already followed troubleshoot, restarted comp numerous times & tested the same keyboard on another comp - which works fine on?

Now i'm currently using onscreen keyboard to type this thread sadly

Anyone have a solution to either of my problems?? Please help

 

i dont think those issues are related to nod32. did you uninstall symantec before installing nod32? run their uninstall tool anyway

 

Hello and welcome to Wilders

Regarding issue 1.
It does sound similar like the issue in this thread if it indeed is a LONG line of letters and numbers.
https://www.wilderssecurity.com/showthread.php?t=276745
Look at the image in the thread and tell us if the long line of letters/numbers looks similar?

 

Yes, I've uninstalled symantec AV before installing ESET NOD32 Antivirus.

So I should still use that removal tool anyway?

 

No

Then you will need to uninstall Nod32, install Norton use the Uninstall Tool for Norton, then re-install Nod32 again.

Did you check the image in the other thread as I mentioned?

 

Thankyou, SweX

Sometimes it can be as long as the pic you posted. Here is a screen shot of some test searches i've done:

http://i1040.photobucket.com/albums/b409/joshaye/screen3.gif

http://i1040.photobucket.com/albums/b409/joshaye/screen1.gif

http://i1040.photobucket.com/albums/b409/joshaye/screen2.gif

 

Hmm.. I made a Google search on the IP shown in your pics, and the search showed some users had seen this before in posts over at the Mbam forum for example. Wich led to that the user made a scan with Mbam (Malwarebytes) wich said that the user was infected.

So I strongly recommend you to download Malwarebytes and run a quick scan, and tell us the result please.

 

OK, I'll go download it asap and post results.

Meanwhile, anyone got a solution for my keyboard?? I hate using on-screen keyboard ><

 

Finished Malwarebytes' Anti-Malware full scan, results were:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4296

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/07/2010 12:52:26 AM
mbam-log-2010-07-10 (00-52-26).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 175979
Time elapsed: 21 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Now what do I do? :\

 

You are infected with Olmarik. The most effective way for removing rootkits is by booting from a clean media and running a full system scan with the on-demand scanner. You can either create a rescue cd or slave the disk and use ecls to perform a scan.

 

Marcos, how exactly do I do those steps - I'm still new to ESET NOD32 Antivirus

 

Malwarebystes scored zero unfortunately.

Now you can do as Marcos said.
Or you can try this removal tool first:
https://www.wilderssecurity.com/showpost.php?p=1709284&postcount=3

 

I ran that removal tool, it said 'Win32/Olmarik was not found on your system?

Edit: I just woke up & restarted comp, the eset popup isn't showing anymore, thanks everyone


Still need help with issue 2 at the moment... Can anyone confirm if my 2nd issue is eset related or not?would really appreciate it!

 

Hi again.

Well it's quite weird that the infection is just gone like that

I would advise you to make a scan with Hitman Pro.
Wich is a cloud based antimalware application, wich includes 6 AV engines.

So please make a scan with Hitman Pro just to see if any of the 6 engines picks something up. If not then you are probably safe, it's better to be sure you know

Download Hitman Pro here: -http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html-

 

Hey SweX,

I'll give that Hitman Pro ago tomorrow, i don't got time to download+run a scan tonight (tired as anything)

Thanks for the post. Appreciate it.

 

Great to hear that you will give Hitman Pro a run.
Well sweet dreams then, let's see the HMP results tomorrow

And you are most welcome since we are all here to help and learn from each other

 

OK, i've ran Hitman-Pro & found a few results as shown:




- <Log computer="RAVI-872EE720DB" scan="EWS" version="3.5.6.106" date="2010-07-11T14:47:36" timeSpentInSecs="127" filesProcessed="15792">
- <Item type="Repair" score="0.0" status="None">
<File path="$tdl3.sticky" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[6].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[8].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@atdmt[10].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@atdmt[9].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[5].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[6].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@CA7SGFIJ.txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@CAA8EMKY.txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@CAACOPBG.txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@CAR24VJE.txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@CAWHAHC3.txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@CAWZGNAF.txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[6].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@serving-sys[11].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@serving-sys[9].txt" />
</Item>
- <Item type="Repair" score="0.0" status="DeleteFailed">
<File path="C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[3].txt" />
</Item>
- <Item type="Suspicious" score="23.0" status="None">
<File path="C:\Program Files\Garena\Garena.exe" hash="ACA41FB5B403F224006DBEB99CCC08E7200582F4F2D5B6495CA330F0A4CCB3D5" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Garena\Garena.exe" />
</Startup>
- <References>
<File path="C:\Documents and Settings\Owner\Desktop\All Games\Garena.lnk" />
<File path="C:\Documents and Settings\Owner\Start Menu\Programs\Garena\Garena.lnk" />
<Key path="HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Garena\Garena.exe" />
<Key path="HKU\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Garena\Garena.exe" />
</References>
</Item>
- <Item type="Suspicious" score="48.0" status="None">
<File path="C:\WINDOWS\system32\DRIVERS\kbdhid.sys" hash="09491907029C3CB72CB27E17B2AB83DE4FEA99D03F6F24702D7A8B91B7872BCC" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\" />
</Startup>
</Item>
- <Item type="Suspicious" score="33.0" status="None">
<File path="C:\WINDOWS\system32\msinet.ocx" hash="7A5D170D7DB383DA5E6EABE2F92502E0FC988F1A42751F3F1DAB04584153EF44" />
</Item>
</Log>

 

I'm not sure but it sounds like you got infected with Win32/Olmarik rootkit. This is a very nasty malicious code. You should read this ESET's KB article. If you will find that this thing is not applicable for you, then I should advice you to use:
1. Rootkit.Win32.TDSS Killer - -http://support.kaspersky.com/downloads/utils/tdsskiller.zip-
2. Download and run Kaspersky Virus Removal Tool.

 

Late reply.. mum was using the computer

Anyways, Thanks for all the help guys, I ran the Hitman-Pro second time, but this time used the 30-day free license option to remove all found threats. Funny enough, it picked up a malicious driver on my computer that was crippling my keyboard from working (which is working properly now thanks to this) & also the ESET IP-Blocked pop-ups are gone now.Thanks to everyone for the help that you guys provided me. =D

 

that's great. Can you provide me(via PM) a removed driver(kbdhid.sys) ?

 

G,day!

Great that Hitman Pro worked and founded some nasties as I thought it would.
Also good that HMP was able to fix your infected Keyboard driver.

Take care mate, and if you get any more issues further down the road just start a thread here at Wilders