rootkit.agent

Hi and thanks for your detailed reply. I did download SAS, which found 230 adware tracking cookies and 33 unclassified Oreans 32, all of which was quarantined and removed. How bad are the Oreans 32 findings?

After that, I downloaded and installed SpywareBlaster and enabled all protection there.

Then I downloaded and installed SpywareGuard and downloaded the latest definitions, but I can't open SpywareGuard. Should I be able to open it, or does it just run on its own in the background? It does have a red SG that looks active down in the area beside the clock. But is this a problem?

Thank you again. I appreciate the help.
Evie

Hi Evie,

The process belongs to the software oreans by unknown.

Description: oreans32.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 33952 bytes (48% of all occurrence), 33824 bytes, 33920 bytes, 33856 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs. There is no information about the maker of the file. The program is not visible. There is no detailed description of this service. The file is not a Windows system file. oreans32.sys seems to be a compressed file. Therefore the technical security rating is 53% dangerous, however also read the users reviews.

http://www.file.net/process/oreans32.sys.html

SpywareGuard runs in the background. Correct, it has its icon near the clock. You can however RIGHTclick on the icon !

OK, it sounds like I'm good to go, but before I do, I'd like to just recap...

still running Kerio Personal Firewall
still using AVG free
now also running SpywareBlaster
now also running SpywareGuard
will do a weekly scan with AdAware
will do a weekly scan with Spybot S&D
now will also do a weekly scan with SAS
now will also do a weekly scan with MBAM

My only remaining question: Is any of that redundant and therefore unnecessary?

Evie

I forgot to put this on the list:

also now running NoScript

I do not know how "happy" you are with:

Lavasoft's Ad-Aware and SpybotS&D.


I replaced both by MBAM and SAS and I do not look back anymore.

But it is up to you

Otherwise your plan sounds good to me.

Happy SAFE Computing !

Ha. After what AdAware and Spybot let happen to my system, I am not so happy. If SAS and MBAM will totally cover things, AdAware and Spybot are gone.

Thanks again for the great help.
Evie

Ad-Aware and Spybot had their good times! As I see it....... MBAM and SAS are better now.

You Are Very Welcome !

I was going to come over to Browsers this morning and fill you in! Things are great, all back to normal. The only remaining annoyance is not being able to get into the Dell payment page, but since we can do that easily from my son's computer I'm going to forget it.

You guys all have helped me soooooooooooo much, and I really appreciate it. Thank you all. And thanks to CNET for having these forums!
Happy New Year!
Evie

That Dell page is a mystery.

Is it an https page? https replaces the normal http in web sites to denote secure pages.

If it is, check your Firefox Tools > Options > Advanced tab, then the "Encryption" sub tab, and make sure both SSL and TLS security protocols are selected. This allows the browser to communicate via https with web site servers.

If it is not that, can you explain what fails? Can you load the web page but it won't accept payment details from you? Or what problems do you get?

Now you have NoScript, see if it is blocking any Javascript for the page, and temporarily allow all scripts.

Mark

OK, you can see I have Airedales LOL and we Airedalian types do love a mystery. It's hard for me to forget the Dell problem, too.

I looked under encription and both boxes were checked already.

When I try to open the Dell payment page, first I go to http://www.dell.com/content/topics/topic.aspx/us/segments/dhs/odg/paydpa3?c=us&l=en&s=dhs&cs=19

Then I scroll down a bit and click "Pay Online Now" in the Getting Started section which takes me to a log-in screen. Or should. Used to. Well, actually it is the log-in page that I can't access, I should say. Anyhow, trying to open the log-in page takes me to a page that says the following:
---
Address Not Found
Firefox can't find the server at dfs.us.dell.com.
The browser could not find the host server for the provided address.

* Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of "www.mozilla.org")
* Are you certain this domain address exists? Its registration may have expired.
* Are you unable to browse other sites? Check your network connection and DNS server settings.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.
---

So, now I'm going to turn off NoScript for that page and try it again and see what happens. Bah, the exact same message comes up. There's a big yellow triangle with an ! in it, and then the message.

Evie

I'm not using Spybot or AdAware anymore, but I haven't uninstalled them, so I will do that first and see what happens.

Evie

Mark, how do I check to see if Dell cookies are restricted?

Evie

Evie,

seems to me, you are NOT alone with the "logging in" problem......

have a look at this thread:

http://en.community.dell.com/forums/t/19193480.aspx

Maybe you also write an e-mail to: Dell Amie P ??

Well, that was a good idea! But...I get the Page Load Error box when I try to follow the link you gave me. Thanks, though.

Evie

Difficult one, and it would have to be that all browsers have been set to restrict cookies, just for Dell. Unlikely in my view.

But in Firefox, Tools > Options, Privacy tab, you have two options. The Exceptions button, and the Show Cookies button. If any Dell pages have been restricted, they should be listed in the Exceptions list.

It is also possible that Firefox is not accepting cookies at all, or not accepting 3rd party cookies.either one of which may stop a Dell page from loading.

The other browsers, IE and Opera, will have similar options/settings.

I hesitate to mention my other suggestion. The HOSTS file. I hesitate only because if the problem is with your computer's HOSTS file, the browser should not display any error message. Instead it should just display an empty page. But that doesn't seem to be the case with you.

Here's a description of the HOSTS file, what it does, and what it can be used for;
http://www.bleepingcomputer.com/tutorials/tutorial51.html

Airedales. They are those tall, lanky, hairy dogs are they not? Mental as well so I understand?

Mark

Yep, you've got Airedales pegged, though they prefer "brilliant," "strong willed" and "single minded" to being called mental. Hahahah!

Well, Dell is not in the exceptions list (looking only at Firefox now). When I opened the show cookies list, this is what I found in the dell.com folder:

s_sess (expires at end of session)

StormSCookie (exp at end of session)
content ~tidUSendhs19=1&bandwidth=NA&flashversion=10

lwp (exp at end of session)

s_vi (exp Dec. 17, 2013)

StormPCookie (exp Dec. 18, 201
content penv=dhsq4superbundlea|us|dhs|8cb3f75db615800&bandw..... NOTE: window isn't wide enough for full content line

Is the reference to flashversion=10 significant by any chance?

Should I delete all cookies? And NOT delete the exceptions, I presume?

Under tools->clear private data, cookies, offline website data and saved passwords are unchecked. Can I click everything except saved passwords and then click clear private data now?

Evie <it's the terrier in me digging away at this>

As long as you have your usernames/passwords saved elsewhere, or can remember them, (eg for these forums), just in case you clear everything.

Don't forget the other options I suggested, ie, the HOSTS file, and the FlushDNS option.

I accept your description of Airdales.

Mark

Alas, to no avail. Now I'm working on the HOSTS file. I've run a search to find it. The results:

HOSTS C:\WINDOWS\I386
LMHOSTS.SA_ C:\WINDOWS\I386
hosts C:\WINDOWS\system32\drivers\etc
lmhosts.sam C"\WINDOWS\system32\drivers\etc

When I clicked on HOSTS in the I386 folder to open it, I got a box asking what program I wanted to use to open the file. I quit at that point. What's next?

Evie

...the one that resides at C:\Windows\System32\Drivers\etc.. Find the HOSTS file that has no file extension. That's the one that you need to check.. Open it by renaming it to HOSTS.txt, then double click on it so Notepad will open the file.

Hope this helps.

Grif

Hi and thanks, but there is no HOSTS file in that folder... ??

Evie

I was in the wrong place, sorry.

OK, I have named the hosts file hosts.txt and opened it with notepad. It's just instructions about using # to kind of turn off a line in the hosts file so the system ignores it. It isn't anything that I expected...

I opened it again with WordPad to see what would happen, and I get the same thing. This:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Suggestions?

Evie

There are no "redirects" in that particular HOSTS file and it's the original "basic" HOSTS file that comes with Windows.

Time to check other possible locations for blocked sites.

Hope this helps.

Grif

Thanks. This is a process of elimination!

Evie

Evie,

could it be, your firewall is blocking Dell??

How can I tell if it's blocking Dell? I don't know where to look...

Evie

Sorry, I don't have the Kerio firewall, so I had to look it up:

Click on the 'Network Security' tab on the left side. Under the 'Applications' tab at the top, from there you can block/unblock.

You may also want to look in the 'Web' tab on the left, then the 'Site Exceptions' tab at the top to make sure it hasn't been put in there and blocked for some reason.

http://www.pcguide.com/vb/showthread.php?t=50564