104 réponses à ce sujet

[Borka]

Here's the result:
C:\Documents and Settings\David>sc config spider start= auto
[SC] ChangeServiceConfig SUCCESS

So, what is after reboot?

[DavidR]

Here's the result:
C:\Documents and Settings\David>sc config spider start= auto
[SC] ChangeServiceConfig SUCCESS

So, what is after reboot?

I feel like crying, Borka! http://forum.drweb.com/public/style_emoticons/default/mellow.png The results are exactly the same...
I know that the time is late in Kiev now--let's take a break until tomorrow, and if you still have the patience, we can work on it then. I deeply appreciate your expertise and willingness to help.
DavidR

[Eugeny Gladkih]

DavidR

maybe there's something interesting in Windows EventLog, could you take a look at there?

[Borka]

Here's the result:
C:\Documents and Settings\David>sc config spider start= auto
[SC] ChangeServiceConfig SUCCESS

So, what is after reboot?

http://forum.drweb.com/public/style_emoticons/default/sad.png I feel like crying, Borka! http://forum.drweb.com/public/style_emoticons/default/mellow.png The results are exactly the same...

I think it's time to search for rootkits.
Download HiJackThis: http://www.trendsecure.com/portal/en-US/to...ckthis/download
RootKit Unhooker: http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar
and drweb_scan.zip: http://forum.drweb.com/index.php?act=attac...ost&id=1673
Make logs and attach them here. We'll see who prevents spider to load.

I know that the time is late in Kiev now

Really? I don't think so - local time is 22:02 only.

[userr]

DavidR
To be sure that your comp is virus-free pls do the following.
- update drweb - spider agent icon- Updater.
- unplug the Internet cable
- download the attached file drweb-scan.zip and unzip drweb-scan.bat from it.
- run drweb-scan.bat. Drweb scanner should start. When it finishes, close the scanner window and the scanner starts again - three times. Cure all viruses, if scanner find any.
- after all that you will see the folder test opened in Explorer. find the file drw-results.cab there. The file contains Drweb scanner logs, pls post it here.
 drweb_scan.zip   1,33 Ko   77 téléchargement(s)

[DavidR]

DavidR
To be sure that your comp is virus-free pls do the following.
- update drweb - spider agent icon- Updater.
- unplug the Internet cable
- download the attached file drweb-scan.zip and unzip drweb-scan.bat from it.
- run drweb-scan.bat. Drweb scanner should start. When it finishes, close the scanner window and the scanner starts again - three times. Cure all viruses, if scanner find any.
- after all that you will see the folder test opened in Explorer. find the file drw-results.cab there. The file contains Drweb scanner logs, pls post it here.
 drweb_scan.zip   1,33 Ko   77 téléchargement(s)

Borka and userr,

How can I attach these logs--when I try, it says post is too long?

[Malex]

DavidR
To be sure that your comp is virus-free pls do the following.
- update drweb - spider agent icon- Updater.
- unplug the Internet cable
- download the attached file drweb-scan.zip and unzip drweb-scan.bat from it.
- run drweb-scan.bat. Drweb scanner should start. When it finishes, close the scanner window and the scanner starts again - three times. Cure all viruses, if scanner find any.
- after all that you will see the folder test opened in Explorer. find the file drw-results.cab there. The file contains Drweb scanner logs, pls post it here.
 drweb_scan.zip   1,33 Ko   77 téléchargement(s)

Borka and userr,

How can I attach these logs--when I try, it says post is too long?

Compress them with WinRar or WinZip for example http://forum.drweb.com/public/style_emoticons/default/wink.png

[DavidR]

DavidR
To be sure that your comp is virus-free pls do the following.
- update drweb - spider agent icon- Updater.
- unplug the Internet cable
- download the attached file drweb-scan.zip and unzip drweb-scan.bat from it.
- run drweb-scan.bat. Drweb scanner should start. When it finishes, close the scanner window and the scanner starts again - three times. Cure all viruses, if scanner find any.
- after all that you will see the folder test opened in Explorer. find the file drw-results.cab there. The file contains Drweb scanner logs, pls post it here.
 drweb_scan.zip   1,33 Ko   77 téléchargement(s)

Borka and userr,

How can I attach these logs--when I try, it says post is too long?

Compress them with WinRar or WinZip for example http://forum.drweb.com/public/style_emoticons/default/wink.png

Thanks, Malex, for your advice!
That was much easier than I thought...
I've tried to upload the files: DrWeb Scan, HJT log, and Rootkit Unhooker log.
Again, I thank everyone for their help with this!

Fichier(s) joint(s)

•  drw_results.cab   85,24 Ko   63 téléchargement(s)
•  hijackthis.zip   3,31 Ko   54 téléchargement(s)
•  Rootkit_Unhooker_Report.zip   4,89 Ko   83 téléchargement(s)

[Borka]

I've tried to upload the files: DrWeb Scan, HJT log, and Rootkit Unhooker log.

Repeat RkU log please. Run it, choose "Report", press "Scan", uncheck "Files" and press OK.

Fix in HJT:
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -

Do you know whai is it:
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - _https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
?

[userr]

DavidR
You have the soft Sandboxie installed. Its site says: The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys. Do you know in detail how this soft works? Was it active when you installed Drweb?

[DavidR]

I've tried to upload the files: DrWeb Scan, HJT log, and Rootkit Unhooker log.

Repeat RkU log please. Run it, choose "Report", press "Scan", uncheck "Files" and press OK.

Fix in HJT:
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -

Do you know whai is it:
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - _https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
?

Borka,
I ran a second RkU scan, as you instructed. I fixed the item in HJT as you advised. The pbells.broadjump.com has something to do with Bellsouth, which is related to my ISP and my fast-access dsl.

Fichier(s) joint(s)

•  RkU_Second_Scan_Log.zip   16,21 Ko   77 téléchargement(s)

[DavidR]

DavidR
You have the soft Sandboxie installed. Its site says: The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys. Do you know in detail how this soft works? Was it active when you installed Drweb?

Userr,
Sandboxie is a sandbox utility. It was active when I installed Dr. Web. I must say that I do not understand well how this software works.

[Borka]

OK, DavidR. Try to disable Sandboxie before install Dr.Web. Sandboxie can prevent registry modification.

[DavidR]

OK, DavidR. Try to disable Sandboxie before install Dr.Web. Sandboxie can prevent registry modification.

Borka,
I am unsuccessful in installing Dr. Web SS.
This is what I did:
I removed Sandboxie from my computer.
I uninstalled Dr. Web completely and tried to re-install using the download from a few days ago.
It looked like it installed correctly, but when I rebooted, the original problem was there.
I then uninstalled Dr. Web using Revo Uninstaller.
I downloaded a brand new copy of DWSS from DW and tried to install that. I even obtained a new key file.
Again, upon reboot the original problem is still there.
I just have no idea why...
Thanks again for your help!

[Borka]

Again, upon reboot the original problem is still there.

Bad news. http://forum.drweb.com/public/style_emoticons/default/sad.png
Repeat logs please.

[userr]

I then uninstalled Dr. Web using Revo Uninstaller.

Please, never try to install/uninstall Drweb with "help" of any third-party program.

[DavidR]

Again, upon reboot the original problem is still there.

Bad news. http://forum.drweb.com/public/style_emoticons/default/sad.png
Repeat logs please.

Yes, definitely bad news!
Here are the latest logs.
Thanks, Borka!

Fichier(s) joint(s)

•  drw_results.cab   85,15 Ko   58 téléchargement(s)
•  hijackthis___Notepad.pdf   21,19 Ko   104 téléchargement(s)
•  Latest_RkU_Scan_Log.doc   29,5 Ko   76 téléchargement(s)

[Borka]

Here are the latest logs.

DavidR, first do not post logs in Word, Adobe etc. format - use either archiver or native formats (txt, log etc.). http://forum.drweb.com/public/style_emoticons/default/wink.png
1. repeat RkU log. Run it, choose "Report", press "Scan", uncheck "Files" and press OK. Log you've posted doesn't contain some infomation.
2. attach drweb32.ini
3. Check on VirusTotal: C:\WINDOWS\system32\drivers\avgntflt.sys

[DavidR]

Here are the latest logs.

DavidR, first do not post logs in Word, Adobe etc. format - use either archiver or native formats (txt, log etc.). http://forum.drweb.com/public/style_emoticons/default/wink.png
1. repeat RkU log. Run it, choose "Report", press "Scan", uncheck "Files" and press OK. Log you've posted doesn't contain some infomation.
2. attach drweb32.ini
3. Check on VirusTotal: C:\WINDOWS\system32\drivers\avgntflt.sys

Borka,
VirusTotal scan of that file shows all negatives. No virus.
Can you open the RkU log in this format? Not sure what it is...

Fichier(s) joint(s)

•  drweb32.ini   2,28 Ko   52 téléchargement(s)
•  Report_of_RkU.txt   41,11 Ko   57 téléchargement(s)

[Borka]

Does EventLog contain any information when you try to start spider?
1. "Start" -> "Run" -> type CMD and press Enter key.
2. "Command line" will open.
3. Type
net start spider [press Enter]
net start spidernt [press Enter]
See EventLog for any information about spider.