20 ответов в этой теме

[gnomon]

Hello everybody,

As described in the Topic Title, at launch (from the desktop) CureIt! causes my system to crash (for a couple of days now; ever since I used CureIt! for the first time). I have downloaded the latest version of CureIt! about an hour ago (version 6.00.2.05140, with virus database of 28-06-2010, 06.59 h.), and this problem is still arising.

The only thing possible to run CureIt! in a proper way at my system, was and is to run it in Windows 7's Safe Mode.

Anybody experiencing the same thing?

This said, it must be said, that CureIt! is of outstanding quality, at least from the moment it can be run properly. Dr.Web's CureIt! was the only anti-virus program that I know of that was capable of killing the nasty BackDoor.Tdss.565 rootkit at my system, in my case, amongst other misbehaviour, preventing me from downloading from Windows Update's server. So, it really "cured it"!

Regards,

gnomon

[account has been deleted]

Need a memory dump.
% SystemRoot% \ MEMORY.DMP

[gnomon]

No memory.dmp to be found there (not at systemroot nor anywhere else at the system), after having launched CureIt! in Normal Mode from the desktop a couple of minutes ago, and thus having provoked a system crash (which indeed happened). I am sorry.

gnomon

[userr]

gnomon
smth in c:\WINDOWS\Minidump\ ?

pls zip and attach here the cureit log (you've done cureit scan in safe mode, dont you?) -- "c:\users\<Username>\DoctorWeb\CureIt.log"

[gnomon]

Hi userr,

smth in c:\WINDOWS\Minidump\ : nothing of that kind at my system also.

Yes, I have run CureIt! in Safe Mode, so hereby I have attached the log file you have asked me for.

gnomon

Прикрепленные файлы:

•  CureIt__log.zip   179,2К   51 Скачано раз

[gnomon]

Well, I think I have found a workaround for this problem, not a real solution:

I have found out that CureIt! and my firewall, Online Armor Free, are conflicting and causing this problem. By shutting down the firewall before starting CureIt! (in Normal Mode from my desktop), the problem of system crash does not occur anymore.

But I am not really satisfied that I cannot manage the firewall to have CureIt! run properly. I have read Online Armor's Help and documentation, and could not find a way to solve this problem.

I think that I have found through Windows' Task Manager, the internal name of CureIt! is ed76ed.exe (BTW: I do not mean the name given to CureIt! randomly during download). But even if I instruct Online Armor to allow ed76ed.exe to run from my desktop, the problem is recurring. And maybe ed76ed.exe is only a temporary name for CureIt!, changing every update. I then would have to adjust the name of this file in my firewall all the time. I do not know.

gnomon

[SergM]

And maybe ed76ed.exe is only a temporary name for CureIt!, changing every update

It's true.
In CureIt! are built too many protective mechanisms ...

[drumut]

Hello,

Thanks userr for helping us. I have some opinions about this issue, let me explain.

But I am not really satisfied that I cannot manage the firewall to have CureIt! run properly. I have read Online Armor's Help and documentation, and could not find a way to solve this problem.

Please read this help document and watch these videos.
Show me how to TRUST a program (Video)
Show me what happens when a trusted program is changed (Video)

I do not mean the name given to CureIt! randomly during download

This is a security thing which dr.web considers for us, because if you name cureit always same, malwares can block this application. So random names are a good thing which dr.web consider it for your security. It prevents malwares to recognize security applications by their name.

I believe enhanced protection mode and online armor conflict causes this problem. Please read online armor help files carefully.

Good Luck!

[gnomon]

@drumut:

This is a security thing which dr.web considers for us, because if you name cureit always same, malwares can block this application.

I believe that I had already understood that, and I am not objecting to that practice, quite the contrary... The only thing I tried to say, was that I was not referring to this randomly given name for CureIt! during download.

I will read and watch the document and videos of your links and will come back to this forum soon, tomorrow I think.

By the way, this problem with Online Armor occurs in both CureIt!'s modes: in enhanced protection mode and normal mode of CureIt! (and ran within Windows' Normal Mode in both cases).

Thank you so far.

gnomon

[drumut]

By the way, this problem with Online Armor occurs in both CureIt!'s modes: in enhanced protection mode and normal mode of CureIt! (and ran within Windows' Normal Mode in both cases).

Even in normal mode there is also self-protection in CureIt. Enhanced protection is another layer of CureIt which is recently released with stable release of CureIt.

You can also try to add exception for C:\Users\UserNameAppData\Local\Temp\ folder in online armor settings, temporarily. Let's try this.

[gnomon]

@drumut:

You can also try to add exception for C:\Users\UserNameAppData\Local\Temp\ folder in online armor settings, temporarily. Let's try this.

Regretfully this was of no avail either, after this having set, system crashes kept coming up with Online Armor enabled.

@everyone:

I have read and watched the Online Armor document and videos, and, after having created a Program rule for it, in Advanced Options I have changed/unchanged and ticked/unticked several settings for the CureIt! file:
- In the Security section: ticked/unticked Installer;
- In the Permissions section: set to Allowed/set to Ask and vice versa all of these settings and
- In the Protection section: ticked the Protect from termination and Protect from suspend settings.

So, I have tried several combinations of the above, and, most of the times the system still would crash and sometimes it would not, and within both of CureIt!'s modes. But, in every combination of settings and CureIt! modes, system crash occurred, at least once.

To add to this problem, also the system would crash sometimes if CureIt! had been running with Online Armor disabled (then CureIt! would run without a problem, in both of its modes), but then would crash as yet at the moment I would try to enable this firewall again.

Or even, but I am not sure whether this was caused by this CureIt!/Online Armor conflict, system crashing all the time after new start ups after about ten hours (this morning), though the system itself could be started up. At (normal) shutdown of the system, last evening, nothing was or went wrong. As a result, I had to use Windows 7's Setup DVD to recover the system by means of its latest System Recovery Point...

I tend to give up, things are becoming too complicated to me now. Maybe, CureIt! could be adjusted in future releases to tackle this specific problem?

gnomon

[drumut]

smth in c:\WINDOWS\Minidump\ : nothing of that kind at my system also.

You may want to check c:\WINDOWS\ directory if there is a minidump file with *.dmp extension.

If you still don't have this file please follow these steps.

• Go to Start and type in "sysdm.cpl" (without the quotes) and press Enter
• Click on the Advanced tab
• Click on the Startup and Recovery Settings button
• Ensure that "Automatically restart" is unchecked
• Under the Write Debugging Information header select "Complete memory dump" in the dropdown box
• Under the Dump file: please paste this "%SystemRoot%\MEMORY.DMP" (without the quotes)
• Click OK twice to exit the dialogs, then reboot for the changes to take effect.

 drweb.png   16,87К   31 Скачано раз

Could you make a memtest? You can use drweb live cd to do this. Besides you may give a try to livecd if cureit doesn't work for you. Please see page 8th.

[gnomon]

@drumut:

The *.dmp file still is not there (nor anywhere) at my system; I had even tried to set the settings for this in Startup and Recovery earlier this day, in the same screen picture as you forwarded to this thread in your latest posting.

But then, and just now, when I was trying to set Startup and Recovery the way that you have advised me to, this just would not succeed, and the Dump file field stayed blank, even when this had been run as Administrator by me, and even after the system had been rebooted. I really do not understand why. Perhaps some Windows settings do prevent all of this?

I have run the memory test of Memtest 86+ (v. 4.10: latest version), and this was what it exited with:
"***** Pass complete, no errors, press Esc to exit *****". That was exactly what I expected to happen, because a couple of days ago, I already ran a memory test with the built-in facility of Windows 7 for this purpose, and also there there turned out to be no memory errors.

I also have downloaded the Dr.Web .iso, and maybe I will burn this to a CD, if needed. Remember that I still am able to run CureIt! in Windows 7's Safe Mode, and without problems. But for security (or even emergency) and back-up reasons, burning it to a CD is a good idea, of course.

Thank you so far again.

gnomon

[gnomon]

Now I will go out for a stroll and will be back soon.

[drumut]

the Dump file field stayed blank, even when this had been run as Administrator by me, and even after the system had been rebooted. I really do not understand why. Perhaps some Windows settings do prevent all of this?

Are we sure you are not infected? Have you done a complete scan on your system with security softwares or online scanners?

I have run the memory test of Memtest 86+ (v. 4.10: latest version), and this was what it exited with:
"***** Pass complete, no errors, press Esc to exit *****". That was exactly what I expected to happen, because a couple of days ago, I already ran a memory test with the built-in facility of Windows 7 for this purpose, and also there there turned out to be no memory errors.

It is good to be sure.

I also have downloaded the Dr.Web .iso, and maybe I will burn this to a CD, if needed. Remember that I still am able to run CureIt! in Windows 7's Safe Mode, and without problems. But for security (or even emergency) and back-up reasons, burning it to a CD is a good idea, of course.

Why don't you make a scan with live CD and post results here.

[gnomon]

Well, I have done several scans last week, all of them in full: with CureIt! to begin with, of course, and it turned out to be that my system was infected with that Backdoor.Tdss.565 rootkit then. But I thought the system was fully recovered from that by CureIt!'s disinfection actions on this detection and I also could not discover any symptoms left of this infection anymore at my system afterwards.

(These symptoms during rootkit's party time were (if not mentioned by me before): not being able to update from Windows Update server; being popped-up and redirected in my Firefox browser to all sorts of websites, to some "bad" domains especially, but also to fake search engines, when I was entering Google Search for a search command; a playing around with the HOSTS file (constantly being renamed to HOSTS.bak and then HOSTS vice versa); being botnetted, as detected continuously by the Trend Micro's RUBotted tool. It was a heavy infestation, so to speak. But all of these symptoms disappeared at a glance after CureIt!'s actions. As an extra measure, I also added some of the "bad" domains to my HOSTS file, by means of the 127.0.0.1, localhost, mechanism, like this:

127.0.0.1 (first "bad" domain entry)
127.0.0.1 (second "bad" domain entry)
127.0.0.1 (some more "bad" domain entries)

|

127.0.0.1 (last "bad" domain entry) .)

But, to be more certain anyway, I also ran some other scans (in full) afterwards: an Avira AntiVir scan (my standard anti-virus program, is also set to real time protection mode), a Malwarebytes' Anti-Malware scan, a ComboFix scan, an on-line Trend Micro's House Call scan, full scans with anti-spyware programs: Spybot Search & Destroy, Ad-Aware, Spysweeper (including an anti-virus module, in this case) and Spyware Doctor. A scan with Sophos' Anti-Rootkit (while taking the results cautiously: I know that anti-rootkit programs often return false positive detections, they cannot help, I do not mean this as a reproach). And, of course, in all cases, these programs were properly updated before the scans.

All of these scans found nothing in particular anymore, except of Spybot's detection of such trivial cookies like "doubleclick" and the like, as nearly almost found by Spybot.

I will burn the Dr.Web live CD now, run a scan with it, and will submit its findings to this forum. If necessary, and if being asked for, I will attach a HijackThis report, too.

gnomon

[SergM]

gnomon
If you can make translation of this page execute the rules specified there and attach logs.

[gnomon]

@SergM:

I have visited that webpage and had it translated by Google translate, first into English, later into Dutch (my native tongue). But in both cases I just could not understand every aspect of it, due to the translations, I suppose. And Russian is a language that I understand even less, not to say that I do not understand a vowel of it... (Sto nam gore, ziz ni more... isn't that the lyric of a Russian song? )

What I did understand from that webpage, was that I am supposed to post some log files now: I have downloaded DrWeb Log Collector, have run it, and have let it produce DrwLog_JACK-PC_1-7_13-22.zip (attached). Further, I have attached a HijackThis log file (hijackthis.zip).

But, I was not capable of producing two other log files, the log file of the Dr.Web Live CD in the first place. I expected it to produce a log file. To be residing at, reading in a Linux-like syntax (that I am not accustomed to that much): /root/.drweb/logs/scanner.log, but I could not find it there, this was an empty directory. Maybe this was due to the fact that the CD had already been shut down after the scan? But just after the scan (in full), I saw that there were no detections at all. Do I still have to submit this log now?

A log file that I do have, is the CureIt! log, a previous version of which I had already submitted to this forum. But I wonder if this is of much use now. In time, the logging ends before the Dr.Web Live CD scan, and it is partially in Dutch, besides. Yet, I have attached it as well (CureIt.zip).

The other log file that could not be produced, was the log file of Rootkit Unhooker. Simply because this program would not run at my system (Windows 7 (Home Premium)). It exited with this error message: "Error loading driver, NTSTATUS code: C0000001". Even if run in Administrator's mode and even if run in Windows XP and Windows Vista compatibility modes.

gnomon

Прикрепленные файлы:

•  hijackthis.zip   1,72К   44 Скачано раз
•  DrwLog_JACK_PC_1_7_13_22.zip   3,27Мб   40 Скачано раз
•  CureIt.zip   86,62К   44 Скачано раз

[SergM]

A log file that I do have, is the CureIt! log, a previous version of which I had already submitted to this forum. But I wonder if this is of much use now. In time, the logging ends before the Dr.Web Live CD scan, and it is partially in Dutch, besides. Yet, I have attached it as well (CureIt.zip).

Log CureIt! It is executed not by rules. You should rename CureIt! In xyz.pif.
Then it is necessary to create the folder C:\TEST, to copy in it a file xyz.pif and to start from the same folder (C:\TEST) the downloaded file cureit-scan.bat after that it will be started CureIt.
All found - to cure, incurable - to move. Upon termination of check close the scanner, close window CureIt, thus CureIt it will be started again, but with other parametres. In a file three starts CureIt are registered. If viruses are found and reboot is requested - agree. After reboot again start cureit-scan.bat - will not cease to find viruses yet. If the file cureit-scan.bat has fulfilled normally, at you folder C:\TEST will be opened in the Explorer. In a folder c:\test\ find a file cureit-results.cab (a CAB-file, a case badge) and put to the letter.

And I would recommend to switch-off (to suspend monitoring) your antivirus for the period of scanning CureIt!
Your problem with Tdss.565 is still actual?

[gnomon]

I have got enough of it now, being polite all the time! I think that I have done enough already now, and will stop this now, won't come back on this thread! Besides, rootkit is not there any more. Don't understand what is causing the CurIt!/Online Armor conflict, and don't expect it to be solved anymore, either. Just debug CureIt!

gnomon