Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

RasMan keeps trying to run every 5 minutes, Windows freezing/crashing,


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Your original OTL log showed signs of an infection. Most of those randomly named drivers that said file not found were probably from malware so it is possible that the files were put into pbk at that time. Back when everyone was on dialup we used to see malware that would try to make you call some expensive sex chat line or similar. Now that dialup is mostly gone we don't see them that often but I suppose you could have been hit by one.

Since you have two PCs, I would let this one do a free ESET online scan (It can take 3 or more hours to complete):

First clean up System Restore to get rid of any malware that may be left and to make the ESET scan run faster.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

then:

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it). You should probably pause Comodo's a-v and if it complains about the connections ESET makes please allow them.

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a View Report option at the bottom. Click on it and copy and paste the report (even if it says nothing found).



I'm not really fond of Comodo's anti-virus. I think it's fairly weak. I use the free Avast myself http://www.avast.com...ivirus-download and then add the free Online Armor firewall http://www.online-ar...-armor-free.php . Avast is very good about warning you when you hit a bad site and it also has a wonderful feature called a boot-time scan. A boot-time scan runs before most of windows has loaded so can find stuff that would otherwise hide from a regular anti-virus. Online Armor seems smarter than Comodo's firewall and doesn't ask you so many dumb questions.

This is how it works if you want to try it:

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
Text version of the report is usually at: C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswboot.txt but I think it tells you when it first starts running where the report will be.
  • 0

Advertisements


#17
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

Your original OTL log showed signs of an infection.


But did they hint at trojan/backdoor activity? I'm just wondering if my data has been compromised.

Most of those randomly named drivers that said file not found were probably from malware so it is possible that the files were put into pbk at that time.


I did a bit of a check and this is what I discovered: rasphone.pbk is definitely related to a program called "Mobile Partner" that I use to create a connection with my USB modem. I deleted rasphone.pbk from the Pbk folder, and when I created a connection with Mobile Partner, it immediately recreated the file in the Pbk folder. There is even a "AddPbk.exe" in the Mobile Partner folder. It seems legitimate.

In order to create the connection, it seems I need to have both Telephony and RasMan enabled, otherwise it shows the same error entries in the system event viewer. Once I enabled Telephony, I could connect, and I can open rasphone.bpk and it shows me a profile & configuration options with the name of my ISP on it.

Since you have two PCs, I would let this one do a free ESET online scan (It can take 3 or more hours to complete):


Ok, I will complete these steps on my other PC, which is the one I am posting from, and I'll report back here. The one we've been working on so far, is constantly offline. Will we do anything with it anymore, or do we consider it 'cleared'?



Edit: Did you mean to perform those steps on the PC we've been working on, or the one I'm using now? Because I'm not too fond of plugging the other one online (and leaving it for hours) if it seems likely it is susceptible to remote access.

Edited by mcs123, 11 September 2012 - 02:27 PM.

  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
I mean for the sick PC to run the ESET scan but if you want to run the good one, that's OK too. It should not hurt the PC to do the ESET scan as long as you have a firewall it's only going to be talking to ESET.

I really can't tell from what I see in the logs what the malware does. The names are random. IF you can find one of the files, perhaps in Comodo's quarantine, you can submit it to http://virustoal.com and see what they say. Sometimes you can google the names that the a-v companies tag the file with and get a better idea of what they are up to.
  • 0

#19
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

IF you can find one of the files, perhaps in Comodo's quarantine, you can submit it to http://virustoal.com and see what they say.


The only files that Comodo has detected/quarantined, in the last 4 months, were 2 files that it found in the avast temp folder during the aswMBR scan. Do you think they were false positives or should I un-quarantine them and upload them to VirusTotal? They were .tmp files and Comodo tagged them as "[email protected]#1qrvzom6k531v" and "[email protected]#17y72zf0xhkmkj". Google finds nothing on them. I'm inclined to believe they're false positives because aswMBR's result only showed 8 detections, all of which were in Comodo's quarantine. The quarantine had a total of 8 files before running aswMBR, so it would seem logical to think aswMBR did not detect the last 2 that came directly from its temp folder.

I mean, the other explanation would be that aswMBR finds a virus > places it in avast temp folder > Comodo picks it up and quarantines it. But in that case, shouldn't aswMBR still show it in the results as the original file that it detected it, rather than in Comodo's quarantine?

Either way, I will run the steps and report back.

Edited by mcs123, 11 September 2012 - 03:57 PM.

  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Probably a false positive. I can't tell how long the driver files have been gone or who took them. The only one that was still there was:

DRV - [2011.12.01 05:11:26 | 000,303,560 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\tilapainen\Työpöytä\CCE\ccekrnl.dat -- (extywb)

His date says he has been around since 2011 tho you can't always trust the dates. You might look in C:\_OTL\RemovedFiles\c\Documents and Settings\tilapainen\Työpöytä\CCE\ccekrnl.dat tho it may have a different extension now. That's more or less where OTL puts files that it removes. You can submit the file to virustotal and see what they say.
  • 0

#21
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ccekernl.dat should be safe. It's part of Comodo Cleaning Essentials. There were a couple other files & folders in OTL's removed files section. I will be uploading them all to VirusTotal.

edit: All files were clean, apart from one, which 2 scanners out of 42, Emsisoft and Norman, detected as "W32/AskBar.P". File properties shows that I've had it since 2008, though, so I doubt it's the cause of our problems.

Will try Avast scanner tomorrow, after I've slept. Is it possible to install it and run the bootscan without having to uninstall Comodo, if I just disable it instead?



ESET scanner log:

------------------------

C:\Documents and Settings\tilapainen\Työpöytä\CrystalDiskInfo5_0_3Shizuku-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\System Volume Information\_restore{83B365A9-1301-4F49-82DE-0BB30AADD5A4}\RP7\A0006215.exe Win32/OpenCandy application cleaned by deleting - quarantined

------------------------

Notice the System Volume Information... I thought that was supposed to be gone with the OTL fix command to remove all restore points? Or is System Volume Information not connected to restore points? There are several folders & files in System Volume Information, and it created a new folder right when OTL was clearing restore points.

I attached the BitDefender log. It was clean, but notice:

------------------------

Network activity
----------------
Process firefox.exe (416) connected on port 80 (HTTP) --> 173.194.32.40

Process svchost.exe (928) listens on ports: 135 (RPC)

------------------------

Is it normal for svchost to listen on port 135? I have NetBIOS over TCP/IP disabled, if that makes any difference.


edit: I ran BitDefender on my 'clean' computer as well, and it also had an entry of svchost listening on port 135. It is strange that Comodo's firewall does not show this in the 'Active Connections' section, but instead it shows that 'System' is listening on port 445, which on the other hand, is NOT shown in the BitDefender log. I have attached that log as well; notice it is named COMPUTER B, so this refers to the computer we assume is 'clean'. I also ran Eset scan on this pc as well, and it also detected a Win32/OpenCandy application, and that was the only detection.

"cdbxp_setup_4.4.1.3341.exe Win32/OpenCandy application cleaned by deleting - quarantined"

Attached Files


Edited by mcs123, 12 September 2012 - 12:06 AM.

  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
It's hard to stop it from listening on 135. There is a program called Windows Worms Door Cleaner

http://www.softpedia...s-Cleaner.shtml

that will supposedly do it for you or you can manually make the registry changes: http://ssj100.fullsu...-445-windows-xp

It may be listening on 135 but I would think Comodo could block any incoming traffic on 135. Have you tried ShieldsUp! from www.grc.com ? They will test your firewall by attempting to get a response from each port. If no response then the port is blocked. They also have a leak test you might want to try.

Process firefox.exe (416) connected on port 80 (HTTP) --> 173.194.32.40


This is google in Mountain View CA. Nothing to worry about.

OTL is supposed to clean all but the last System Restore tho I can't say I ever looked to see if it did. If the adware is active then it may also show up in the latest System Restore which appears to be the case here.

AskBar is just adware that gets foisted on you by a variety of other programs when you install them. It's harmless but I hate foistware so I kill it off whenever I see it.

I don't know if you can just turn off Comodo and install Avast. Used to be Avast would refuse to run if there was another anti-virus. You can try it and it should tell you.
  • 0

#23
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I tried ShieldsUp! and this is the result for all ports:

Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.


Is this something to be worried over? And further more, the fact that svchost was/is listening on port 135, is this an alarming sign and an indication of a backdoor?

If the adware is active then it may also show up in the latest System Restore which appears to be the case here.


By active adware are you referring to the Win32/OpenCandy application? I think the reason it shows in the last system restore is because I have "CrystalDiskInfo5_0_3Shizuku-en.exe" on my desktop, which ESET detected as an OpenCandy application, and during system restore my desktop items get saved.

Either way, are there any other steps to do here, or are we just waiting for the Avast scan results?
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
No reason why you want to let your system respond to pings. If you can get comodo to do it that's fine but it's not a big risk.

135 is a windows thing so not a back door. Apparently it gets blocked by your firewall (or perhaps by your router - most of them also have firewalls as Shieldsup did not see it so nothing to worry about.

OpenCandy is what was detected both in your system and in the system restore. I don't really know what it is so I called it adware since I don't think it's really malware.

I think your PC is clean. You don't have to run the Avast boot-time scan unless you want to. We can go ahead and clean up:

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.


Special note on Java. Currently there is an exploit out that works on all Java Version 7 software so we are recommending that if you do not visit websites that absolutely require Java that you turn it off in your browser per the instructions in http://www.geekstogo...ur-web-browser/
If you use websites that require Java and you trust them then we recommend that you use either Firefox with the NoScript add-on or Chrome with the ScriptNo add-on and avoid IE. NoScript/ScriptNo will turn off Java and Javascript on all websites you visit except for those that you specifically approve. More info on the exploit is here: http://krebsonsecuri...y-java-exploit/
A new Java 7 Version 7 was released on an emergency basis to fix the exploit but apparently actually makes things worse.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/ tho the free version only blocks 200 ads a day.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

PS bed time for me.
  • 0

#25
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thank you very much for your help, my PC does not appear to have boot/crash issues anymore. However, I think we are not 100% in the clear yet, as everytime I boot, I still see 2 error entries of RasMan trying to run. RasMan also repeatedly tries to run when I connect to a network. It has stopped trying to run every 5 minutes, though.

135 is a windows thing so not a back door. Apparently it gets blocked by your firewall (or perhaps by your router - most of them also have firewalls as Shieldsup did not see it so nothing to worry about.


So I can relax and not worry about there being a trojan on my system? Assuming some kind of remote access was in use, would it show up, for example in BitDefender's scan report or via the "netstat -no" command, even if it were an encrypted connection?

If you have a router, log on to it today and change the default password!


I have a router, but strangely enough it does not ask for a password. But it also does not offer any options to mess with NAT settings either, just some 'frequency tuner' and an option to change from routed to bridged, and to turn off WiFi.

Special note on Java. Currently there is an exploit out that works on all Java Version 7 software so we are recommending that if you do not visit websites that absolutely require Java that you turn it off in your browser


I have done that now. Based on the logs that you saw, did it appear as though my system had been affected by this Java exploit? We haven't really speculated what could have caused these issues.

Now, if only we could find out what's causing RasMan to still attempt to run. Or is it even necessary to find that out? Is it normal behavior for it to try to run on boot-up and when connecting to a network? Either way, I also have some issues with the current computer I'm using, so I should probably post an OTL log of that also, but I'm wondering if I should just open up a new topic for that altogether.

Thanks for the very informative & useful links in your post, by the way.

Edited by mcs123, 12 September 2012 - 12:30 PM.

  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
It's possible to get Process Monitor to log the boot sequence. That might tell you why it is trying to dial out. But first have you tried a diagnostic startup using msconfig? It would be interesting to know if it did it then. Also try going into into msconfig and unchecking everything under Startup and under Services (first hide Microsoft services). Apply and reboot. IF you remove the files from pbk does it still do it? It might just be a side effect of "Mobile Partner"
  • 0

#27
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

IF you remove the files from pbk does it still do it?


I have removed them. When they are removed, RasMan stops trying to run every 5 minutes, but instead it only tries to run a couple times when booting and when connecting to a network. I will try your advice regarding msconfig.

Additionally, I think I could also mention that when I started having the crash issues, I also got an error message when trying to perform the search function in Windows:

"|s refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."

I got this error regardless of what keyword I inserted, and I got it immediately after hitting 'Search': the search would not start until I clicked 'OK' on the error pop up. I could be wrong but I believe I received this error when performing the search for 'My Computer', rather than specific folders, which I guess could indicate to some kind of hard drive problems? After all, one of my hard drives suddenly stopped working a while ago, as Windows would not detect it and sometimes would not even boot if that drive was plugged in. I think I still saw this error one time yesterday or the day before.

Anyway, I'll try your advice with msconfig. Will report back soon.

Edit: OK, tried booting in diagnostic mode. All non-Microsoft services were disabled, everything under System.ini, Win.ini, and Startup was unchecked, but RasMan still tried to run at startup (it tries to run twice in one second and then it no longer tries after that).

What's next?

Edited by mcs123, 12 September 2012 - 01:17 PM.

  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
You are right that I do not get notified if you edit a post.

It sounds like your networking thinks it has to use dial up for some reason. We could try redoing it:

Do you have the file:

C:\WINDOWS\inf\nettcpip.inf

IF so. Back up your registry:

http://pcsupport.abo...backupxpreg.htm

Then see if you can follow the steps in the Hardcore method when nothing else is working section on

http://smokeys.wordp...p3-tcpip-stack/

IF it fails you use the registry backup to get back where you were.


Something less drastic would be to right click on My Computer and select Manage then Device Manager. Find the Network Adapters and click on the + in front then right click on each and uninstall. Then reboot. Windows will rediscover them and reinstall them. This often clears a problem. (Normally this works nicely but sometimes you need to reinstall the network software so note the name(s) of the network adapters and check you PC maker's website for drivers. If you download them ahead of time then if something goes wrong you can just reinstall them.)
  • 0

#29
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I tried the less radical option first, didn't work. Then I followed the steps in the article, and RasMan didn't try to launch at startup when TCP/IP protocl had been uninstalled, but once I reinstalled it and booted, RasMan tried to run once again.

Don't know if this is useful info, but once I had uninstalled TCP/IP protocl and I rebooted, system event viewer showed a disk error (ID 11) on device \Device\Harddisk0\D

Edited by mcs123, 12 September 2012 - 08:09 PM.

  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP

system event viewer showed a disk error (ID 11) on device \Device\Harddisk0\D


1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, restart

The disk check will run and will probably take an hour or more to finish.


See if you can figure out how to get Process Monitor to log the boot process. I've done it before but didn't write it down. Perhaps that will help figure out what is causing the RAS error.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP