Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

"1 items have protection disabled" / ROOTKIT / Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

"1 items have protection disabled" / ROOTKIT / Malware

Unread postby Eagle » September 27th, 2009, 6:03 pm

Dell Precision 340 Workstation
_______________________________________
Windows 2000 Professional
5.00.2195
Service Pack 4
_______________________________________
Mozilla FireFox
Version: 3.5.3
_______________________________________
Internet Explorer
Version: 6.0.2800.1106
_______________________________________
ESET NOD32 Antivirus 4.0.417.0
_______________________________________
SUPERAntiSpyware
_______________________________________
Malwarebytes' Anti-Malware
_______________________________________
SysInspector by ESET
_______________________________________
Avenger
_______________________________________
GMER
_______________________________________
ComboFix
_______________________________________
SpywareBlaster
version 4.2
______________________________________________________________
After re-starting SpywareBlaster I repeatedly notice under "SpywareBlaster Protection Status" on the "Restricted Sites" line the following message..........
"1 items have protection disabled".
The item is as follows:
ITEM NAME: AntiMalwareGuard
ADDRESS: antimalwareguard.com
This is happening despite the fact that I (earlier) in the same day already clicked on "Enable all protection" link in SpywareBlaster.
1) Why is this occurring?
2) What can I do to solve this problem?
3) Is this related to the following message that I keep seeing after running ComboFix as in the ComboFix Log:
"c:\winnt\system32\comres.dll . . . is infected!!"
4) Is this related to the messages that I receive after running Avenger?
[COLOR="Indigo"]"Error: file "C:\WINNT\system32\CF15096.exe" not found!
Deletion of file "C:\WINNT\system32\CF15096.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF25469.exe" not found!
Deletion of file "C:\WINNT\system32\CF25469.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF9828.exe" not found!
Deletion of file "C:\WINNT\system32\CF9828.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF6762.exe" not found!
Deletion of file "C:\WINNT\system32\CF6762.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF9462.exe" not found!
Deletion of file "C:\WINNT\system32\CF9462.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist"[/COLOR]
5) Is this related to the following results that I receive after opening GMER:
TYPE: "Service"
Name: "C:\WINNT\system32\clipsrv.exe? (*** hidden ***)"
Value: "(MANUAL)" ClipSrv
-------------------------------------------------------------------------
TYPE: "Service"
Name: "C:\WINNT\system32\MSTask.exe? (*** hidden ***)"
Value: "(AUTO)" Schedule
PS. GMER typically highlights the above results in RED.


________________________________________
ESET NOD32 antivirus repeatedly detects and quarantines the following:
Object name: “C:\DOCUME~1\v\LOCALS~1\Temp\Av-test.txt”
Reason: “Eicar test file”
1) Why does this thing keep coming back?
2) How can I permanently fix this problem?
_______________________________________________________________________
GMER Results:
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-27 17:58:26
Windows 5.0.2195 Service Pack 4
Running: 0xt9fcyh.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 0
Process System (*** hidden *** ) 8
Process SMSS.EXE (*** hidden *** ) 148
Process CSRSS.EXE (*** hidden *** ) 172
Process WINLOGON.EXE (*** hidden *** ) 192
Process SERVICES.EXE (*** hidden *** ) 220
Process LSASS.EXE (*** hidden *** ) 232
Process svchost.exe (*** hidden *** ) 408
Process spoolsv.exe (*** hidden *** ) 432
Process DkService.exe (*** hidden *** ) 460
Process ekrn.exe (*** hidden *** ) 476
Process svchost.exe (*** hidden *** ) 492
Process firefox.exe (*** hidden *** ) 508
Process jqs.exe (*** hidden *** ) 544
Process nvsvc32.exe (*** hidden *** ) 580
Process regsvc.exe (*** hidden *** ) 616
Process stisvc.exe (*** hidden *** ) 664
Process WinMgmt.exe (*** hidden *** ) 772
Process mspmspsv.exe (*** hidden *** ) 800
Process svchost.exe (*** hidden *** ) 816
Process svchost.exe (*** hidden *** ) 828
Process explorer.exe (*** hidden *** ) 1120
Process WINWORD.EXE (*** hidden *** ) 1184
Process 0xt9fcyh.exe (*** hidden *** ) 1216
Process jusched.exe (*** hidden *** ) 1244
Process egui.exe (*** hidden *** ) 1248
Process robotaskbaricon (*** hidden *** ) 1260

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!


---- EOF - GMER 1.0.15 ----
Eagle
Active Member
 
Posts: 11
Joined: September 27th, 2009, 5:47 pm
Advertisement
Register to Remove

Re: "1 items have protection disabled" / ROOTKIT / Malware

Unread postby NonSuch » September 27th, 2009, 10:13 pm

In order for us to help you it is necessary that you provide us with a HijackThis log. Please follow the guideline at the link below to start a new topic and post your HijackThis log by pasting it into your post. Do not utilize attachments. You may also include the logs you have posted above; however, you must use only one post for everything.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware