Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

rootkit.agent

Dec 26, 2008 11:33PM PST

[Note: This is the third time I'm trying to post... Sorry if all three actually come through, but the first two seem to me to have disappeared, I think zapped because I hadn't told NoScript that I fully allowed the page.]

Firefox suddenly quit totally, and every time I tried to open it I got that Crash Report box. I went to IE, and that would not work at all either. Luckily I had download Opera at some time, and that did work. I'm in XP running a Kerio personal firewall with AVG free antivirus, and I use AdAware and Spybot S&D about once a week.

I worked with John and Mark in Browsers to try and rebuild stuff, and then we tried Malwarebytes. It was able to run in safe mode and quickly found 8 offenders, which I instructed it to remove:

5 adware.minibug (registry key)
1 rogue.win.antivirus (registry key)
2 rootkit.agent (file)
C:\windows\smdat32m.sys
C:\windows\system32\sysaudio.sys

I ran the full scan again yesterday, and 0 items were found. Since then and after reading in this forum, I've installed NoScript 1.8.8 and it is working fine. Is there anything else I should do? Thanks for any input.

Evie

Discussion is locked

- Collapse -
Did you also run SuperAntiSpyware?
Dec 27, 2008 5:30AM PST

I also would suggest downloading, updating and running SAS:

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

IF you also come up CLEAN....... I would suggest:

Downloading and installing SpywareBlaster:

Prevent the installation of spyware and other potentially unwanted software! Simple, effective, trusted.

http://www.javacoolsoftware.com/spywareblaster.html

Plus:

SpywareGard

A real-time protection solution against spyware and other potentially unwanted software.

http://www.javacoolsoftware.com/spywareguard.html

- Collapse -
some success...but maybe one problem
Dec 27, 2008 9:17AM PST

Hi and thanks for your detailed reply. I did download SAS, which found 230 adware tracking cookies and 33 unclassified Oreans 32, all of which was quarantined and removed. How bad are the Oreans 32 findings?

After that, I downloaded and installed SpywareBlaster and enabled all protection there.

Then I downloaded and installed SpywareGuard and downloaded the latest definitions, but I can't open SpywareGuard. Should I be able to open it, or does it just run on its own in the background? It does have a red SG that looks active down in the area beside the clock. But is this a problem?

Thank you again. I appreciate the help.
Evie

- Collapse -
oreans32.sys file information
Dec 27, 2008 9:29AM PST

Hi Evie,

The process belongs to the software oreans by unknown.

Description: oreans32.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 33952 bytes (48% of all occurrence), 33824 bytes, 33920 bytes, 33856 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs. There is no information about the maker of the file. The program is not visible. There is no detailed description of this service. The file is not a Windows system file. oreans32.sys seems to be a compressed file. Therefore the technical security rating is 53% dangerous, however also read the users reviews.

http://www.file.net/process/oreans32.sys.html

SpywareGuard runs in the background. Correct, it has its icon near the clock. You can however RIGHTclick on the icon !

- Collapse -
the plan, and one more question
Dec 27, 2008 9:45AM PST

OK, it sounds like I'm good to go, but before I do, I'd like to just recap...

still running Kerio Personal Firewall
still using AVG free
now also running SpywareBlaster
now also running SpywareGuard
will do a weekly scan with AdAware
will do a weekly scan with Spybot S&D
now will also do a weekly scan with SAS
now will also do a weekly scan with MBAM

My only remaining question: Is any of that redundant and therefore unnecessary?

Evie

- Collapse -
additional
Dec 27, 2008 9:46AM PST

I forgot to put this on the list:

also now running NoScript

- Collapse -
Sounds good.....
Dec 27, 2008 9:52AM PST

I do not know how "happy" you are with:

Lavasoft's Ad-Aware and SpybotS&D.


I replaced both by MBAM and SAS and I do not look back anymore.

But it is up to you Wink

Otherwise your plan sounds good to me.

Happy SAFE Computing !

- Collapse -
not so happy
Dec 27, 2008 10:20AM PST

Ha. After what AdAware and Spybot let happen to my system, I am not so happy. If SAS and MBAM will totally cover things, AdAware and Spybot are gone.

Thanks again for the great help.
Evie

- Collapse -
Good choice :)
Dec 27, 2008 11:07AM PST

Ad-Aware and Spybot had their good times! As I see it....... MBAM and SAS are better now.

You Are Very Welcome !

- Collapse -
I've been watching!
Dec 27, 2008 9:13PM PST
Happy

Thanks Marianna, and I hope everything is fine now Evie.

Mark
- Collapse -
Hey Mark!
Dec 27, 2008 11:19PM PST

I was going to come over to Browsers this morning and fill you in! Things are great, all back to normal. The only remaining annoyance is not being able to get into the Dell payment page, but since we can do that easily from my son's computer I'm going to forget it.

You guys all have helped me soooooooooooo much, and I really appreciate it. Thank you all. And thanks to CNET for having these forums!
Happy New Year!
Evie

- Collapse -
Glad we all could help.
Dec 28, 2008 3:09AM PST

That Dell page is a mystery.

Is it an https page? https replaces the normal http in web sites to denote secure pages.

If it is, check your Firefox Tools > Options > Advanced tab, then the "Encryption" sub tab, and make sure both SSL and TLS security protocols are selected. This allows the browser to communicate via https with web site servers.

If it is not that, can you explain what fails? Can you load the web page but it won't accept payment details from you? Or what problems do you get?

Now you have NoScript, see if it is blocking any Javascript for the page, and temporarily allow all scripts.

Mark

- Collapse -
getting into the Dell payment page
Dec 28, 2008 3:44AM PST

OK, you can see I have Airedales LOL and we Airedalian types do love a mystery. It's hard for me to forget the Dell problem, too.

I looked under encription and both boxes were checked already.

When I try to open the Dell payment page, first I go to http://www.dell.com/content/topics/topic.aspx/us/segments/dhs/odg/paydpa3?c=us&l=en&s=dhs&cs=19

Then I scroll down a bit and click "Pay Online Now" in the Getting Started section which takes me to a log-in screen. Or should. Used to. Well, actually it is the log-in page that I can't access, I should say. Anyhow, trying to open the log-in page takes me to a page that says the following:
---
Address Not Found
Firefox can't find the server at dfs.us.dell.com.
The browser could not find the host server for the provided address.

* Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of "www.mozilla.org")
* Are you certain this domain address exists? Its registration may have expired.
* Are you unable to browse other sites? Check your network connection and DNS server settings.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.
---

So, now I'm going to turn off NoScript for that page and try it again and see what happens. Bah, the exact same message comes up. There's a big yellow triangle with an ! in it, and then the message.

Evie

- Collapse -
Continuation of - Getting into the Dell payment page
Dec 28, 2008 7:55PM PST

I've started back at the top because we had reached the sub-thread limit with your post here;
http://forums.cnet.com/5208-4_102-0.html?forumID=32&threadID=322210&messageID=2938162#2938162

That Dell login page is http://dfs.us.dell.com/Pages/DFSHomePage.aspx . I see nothing strange about it, it is not an https secure web page at this stage. Also, the previous page where the link is for this page needs Javascript, but I deliberately did not let NoScript allow all Javascript, and clicking the link still allowed me to load this login page.

So, perhaps it is not a Javascript problem like I thought it was, Happy

The fact that you cannot access this page in any browser suggests something else on your system is preventing access. I have two possibilities. (Well, I have three, but the 3rd is one I don't know a lot about).

1] Cookies. Most sites need your brower(s) to accept cookies for certain actions. If your browsers have set the DFS Home Page cookie as restricted, then that may be preventing access.

2] Some utility you have, eg anti-spyware, is blocking access to this page. I know Spybot Search & Destroy can do this, but if I remember right, you have now uninstalled Spybot. SpywareBlaster also has a "Restricted Sites" option under its Protected Status menu, but this is not one where sites can be added manually and is updated through SpywareBlaster's updates. You could check though, to see if "DFS Home Page" or "dfs.us.dell.com" is listed. I doubt it though.

3] Flush the DNS Cache.

I understand that the DNS Cache on your computer may hold "Page not found" entries. Flushing the DNS Cache may help to resolve these.

To do this, open a Command Prompt, (Start > All Programs > Accessories > Command Prompt), and type in the following;
ipconfig /flushdns {then press Enter}
(notice the space between the g and the /).

There's more information on Flushing the DNS here; http://www.tech-faq.com/flush-dns.shtml

I do not know too much about that.

I hope something there helps you.

Mark

- Collapse -
uninstall
Dec 29, 2008 12:20AM PST

I'm not using Spybot or AdAware anymore, but I haven't uninstalled them, so I will do that first and see what happens.

Evie

- Collapse -
uninstalled AdAware/Spybot, still can't get in
Dec 29, 2008 12:51AM PST

Mark, how do I check to see if Dell cookies are restricted?

Evie

- Collapse -
Log in problems......
Dec 29, 2008 1:18AM PST
- Collapse -
can't get to forums either
Dec 29, 2008 2:20AM PST

Well, that was a good idea! But...I get the Page Load Error box when I try to follow the link you gave me. Thanks, though.

Evie

- Collapse -
Cookies.
Dec 29, 2008 2:50AM PST

Difficult one, and it would have to be that all browsers have been set to restrict cookies, just for Dell. Unlikely in my view.

But in Firefox, Tools > Options, Privacy tab, you have two options. The Exceptions button, and the Show Cookies button. If any Dell pages have been restricted, they should be listed in the Exceptions list.

It is also possible that Firefox is not accepting cookies at all, or not accepting 3rd party cookies.either one of which may stop a Dell page from loading.

The other browsers, IE and Opera, will have similar options/settings.

I hesitate to mention my other suggestion. The HOSTS file. I hesitate only because if the problem is with your computer's HOSTS file, the browser should not display any error message. Instead it should just display an empty page. But that doesn't seem to be the case with you.

Here's a description of the HOSTS file, what it does, and what it can be used for;
http://www.bleepingcomputer.com/tutorials/tutorial51.html

Airedales. They are those tall, lanky, hairy dogs are they not? Mental as well so I understand? Devil

Mark

- Collapse -
tall, lanky, hairy and brilliant <g>
Dec 29, 2008 4:28AM PST

Yep, you've got Airedales pegged, though they prefer "brilliant," "strong willed" and "single minded" to being called mental. Hahahah!

Well, Dell is not in the exceptions list (looking only at Firefox now). When I opened the show cookies list, this is what I found in the dell.com folder:

s_sess (expires at end of session)

StormSCookie (exp at end of session)
content ~tidUSendhs19=1&bandwidth=NA&flashversion=10

lwp (exp at end of session)

s_vi (exp Dec. 17, 2013)

StormPCookie (exp Dec. 18, 201Cool
content penv=dhsq4superbundlea|us|dhs|8cb3f75db615800&bandw..... NOTE: window isn't wide enough for full content line

Is the reference to flashversion=10 significant by any chance?

Should I delete all cookies? And NOT delete the exceptions, I presume?

Under tools->clear private data, cookies, offline website data and saved passwords are unchecked. Can I click everything except saved passwords and then click clear private data now?

Evie <it's the terrier in me digging away at this>

- Collapse -
It is worth a try.
Dec 29, 2008 7:23PM PST

As long as you have your usernames/passwords saved elsewhere, or can remember them, (eg for these forums), just in case you clear everything.

Don't forget the other options I suggested, ie, the HOSTS file, and the FlushDNS option.

I accept your description of Airdales. Happy

Mark

- Collapse -
flushed dns :-[
Dec 30, 2008 12:13AM PST

Alas, to no avail. Now I'm working on the HOSTS file. I've run a search to find it. The results:

HOSTS C:\WINDOWS\I386
LMHOSTS.SA_ C:\WINDOWS\I386
hosts C:\WINDOWS\system32\drivers\etc
lmhosts.sam C"\WINDOWS\system32\drivers\etc

When I clicked on HOSTS in the I386 folder to open it, I got a box asking what program I wanted to use to open the file. I quit at that point. What's next?

Evie

- Collapse -
The 'Important' HOSTS File IS...
Dec 30, 2008 12:29AM PST

...the one that resides at C:\Windows\System32\Drivers\etc.. Find the HOSTS file that has no file extension. That's the one that you need to check.. Open it by renaming it to HOSTS.txt, then double click on it so Notepad will open the file.

Hope this helps.

Grif

- Collapse -
not there
Dec 30, 2008 12:46AM PST

Hi and thanks, but there is no HOSTS file in that folder... ??

Evie

- Collapse -
oops
Dec 30, 2008 12:57AM PST

I was in the wrong place, sorry.

OK, I have named the hosts file hosts.txt and opened it with notepad. It's just instructions about using # to kind of turn off a line in the hosts file so the system ignores it. It isn't anything that I expected...

I opened it again with WordPad to see what would happen, and I get the same thing. This:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Suggestions?

Evie

- Collapse -
That HOSTS File Is As It Should Be..
Dec 30, 2008 1:12AM PST

There are no "redirects" in that particular HOSTS file and it's the original "basic" HOSTS file that comes with Windows.

Time to check other possible locations for blocked sites.

Hope this helps.

Grif

- Collapse -
at least eliminates one more thing
Dec 30, 2008 2:20AM PST

Thanks. This is a process of elimination!

Evie

- Collapse -
(NT) Remember To Rename HOSTS.txt BACK To HOSTS
Dec 30, 2008 3:17AM PST
- Collapse -
Just a thought.....
Dec 30, 2008 12:50AM PST

Evie,

could it be, your firewall is blocking Dell??

- Collapse -
Kerio Personal Firewall
Dec 30, 2008 1:05AM PST

How can I tell if it's blocking Dell? I don't know where to look...

Evie

- Collapse -
Maybe this helps......
Dec 30, 2008 1:12AM PST

Sorry, I don't have the Kerio firewall, so I had to look it up:

Click on the 'Network Security' tab on the left side. Under the 'Applications' tab at the top, from there you can block/unblock.

You may also want to look in the 'Web' tab on the left, then the 'Site Exceptions' tab at the top to make sure it hasn't been put in there and blocked for some reason.


http://www.pcguide.com/vb/showthread.php?t=50564