Unidentifiable Malware

The problem arises when I try to downgrade my current firewall (Sunbelt Firewall Pro beta 4.6.1820.0) to an earlier, more stable version (4.5.916.0). The beta is extremely annoying, sometimes it will mess with my internet connection (random speed up and slow-downs).

So here's what I go through in trying to uninstall the beta and reinstall the older version.

1) I unplug my ethernet cable. I figure it wouldn't be smart to have my internet on and have no firewall running.

2) I uninstall the SPF beta that's currently on my system.

3) I install the previous SPF version, 4.5.916.0.

4) I restart the computer, expecting everything to go smoothly. -_-

5) When my computer's booted up into my desktop, strange things start happening. The firewall asks me if I want to okay an outgoing connection from "Microsoft File and Printer Sharing." At first I thought this was just a random Windows upgrade of some sort so I okay'd it. Programs wouldn't boot up correctly after I had done that. I checked into my Process Explorer and found out that they were somehow put into a "suspend" mode. All I had to do was right-click and hit the "Resume" feature, but this wouldn't always work for everything. Addtionally, my internet refused to connect to anything that I wanted to. I got an icon in my taskbar that said the internet had "limited connectivity."

6) At this point I decided it was malware and saw that my computer wouldn't last very long in that state. I ran System Restore (which thankfully worked) and went back to the restore point before I had uninstalled the SPF Beta. Everything's the way it first was, just that I'd rather not have a spotty internet connection... and the fact that there is malware somewhere dormant on my computer somewhat freaks me out.

I'm not sure what's going on. I ran all the scanners the FAQs told me to run, but nothing turned up. I even got a log from my firewall for you guys on the mysterious connection that started this whole shebang, although I don't think it's all that informative.

I first speculated that this could be a faulty .exe of the SPF firewall installation I was trying to go through with. I don't think this is the case, however, since I've tried downloading this file from different sources on the internet. I'm pretty sure the malware is somewhere installed on my computer already, just waiting for me to deactivate my current firewall or something. >_<

Is there anything else I can run for you guys? Any help would be much appreciated.

Here are the first three logs:

 

Here's the MGlogs.zip and a log of the connection request I kept on getting:

edit: Sorry, that log had some random scribblings that I had made to myself, I forgot to clean it up. The original log is in the quotes within the textfile. Everything else is stuff I had deemed suspicious, and other internet requests I had received from "Microsoft File and Printer Sharing."

 

Hi thrik,
Welcome to MajorGeeks!

Can you go back to a restore point which precedes the beta installation of the firewall? That might be easiest. Then uninstall Enigma from add/remove programs and uninstall the Java version that's in there. Reboot your computer and install the new Java version at Sun Java Runtime Environment

Let me know if you were able to get back to before the beta sunbelt firewall.

abri

 

Okay, I am able to access my System Restore Points, but I have a slight problem there. Installing SPF was the second thing I installed on my machine since I reformatted about a week ago (the first being Antivir), and System Restore isn't specific about whether that restore point is the beta installation or the stable one. Is there a way to see more advanced information from System Restore?

Also, if it all possible, I'd rather not uninstall all the many programs I've installed since that time. But if need be, I will.

Either way, *thanks*.

 

Hi thrik,

In terms of economy of your time, it would make the most sense to go to the first restore point after you installed Antivir and just reinstall everything excepting the beta version of the firewall. You'll be starting with a clean computer and the reinstalls of the various programs take a lot less time than trying to struggle with a software problem. When you do any installs either in this case or in the future, it does not hurt to sometimes create a restore point yourself and give it a name of your own, so you know exactly at what point you were in your installations. I especially recommend this when you install a beta version of anything. You can call a restore point like that before beta something-or-other.

Let me know how this goes.
abri

 

So my system restore decided not to work.

I get the error message "Cannot restore the computer to an earlier restore point, no changes have been made to your computer," when I try to. Odd how this is, since I can restore to points more recent in my computer's history. Why would inoperable restore points be listed then? Maybe my computer just doesn't know what it can or cannot do

Anyways, Is it time for a reformat then? My restoring to that early of a point was basically the same deal, so it's not a biggie.

So how would I avoid anything like this in the future? Make sure to update my Java as one of the first installs on my computer?

 

Hi thrik,

I want to give you the address for the Beta Forum at Sunbelt as I think they would be interested in the problem you encountered and may be able to offer you an easier way to uninstall the beta rather than having to go through the whole reformat. That address is:

http://beta.sunbelt-software.com/index.php?sid=5dea241600c6d155c1121130a7474fc2

There's a specific thread I was looking at which made me think you would get specific help with your own problem at this forum: That particular thread is here:

http://beta.sunbelt-software.com/viewtopic.php?t=7588&sid=42a913047aecc1d534437db4b94b6d00


How to avoid this in the future? I don't think the Java was the problem. The only problem with the Java is, that when you have an old version, it has vulnerabilities through which malware can get into your computer. Yours is not the most recent version.

I think the problem you're having with the Beta version is just that. It's a Beta version. It's not yet finished. They test it on people's computers to find the bugs and it seems like you ran into one.

I don't know why your restore points are not working. Can you create one?

Let me know how things come out.
abri

 

Alright, so rather than hijacking a thread over at their forums, I created a new one: http://beta.sunbelt-software.com/viewtopic.php?t=7858

I was a little hesitant in going to them with my problem for two reasons. I had browsed the forum first before coming here and saw people complaining that they didn't receive help, despite waiting for long periods of time. My other reason was that I wasn't sure that this was directly Sunbelt's fault, I had just thought that there was something on my computer waiting for me to slip up on some aspect my my computer's protection.

My Restore points are working, just not for the very earliest of them. I can create a restore point now and use it fine, which I've been doing sporadically trying to get this whole problem resolved. I'm not sure why my earlier ones aren't working. :|

I would like to thank you again for all your hard work, you've probably saved me quite a bit of money if I had just paid some computer tech to take care of it. And I'm not too sure they could have anyways, they probably would've just reformatted my machine (bad experiences -_-).

I will keep you updated on what I found out at the forums over there. And if you think of anything else, I'll gladly try it out.

 

Hi thrik,

Well, I thought I'd go through your logs one more time, because we didn't ever get back to the question of malware. When you first came in, you seemed quite certain there was some. Was that because of the file-sharing error?

Enigma needs to be removed via add/remove programs. If you reformat, it will still need to be removed if it gets in again.

Also, did you put the following folder in your computer?

C:\Program Files\BDSokobanYASC

And could you look at this folder - C:\Program Files\D4 - and see what is in it and if it is related to the BDSokobanYASC folder or what?

Then I still wanted to ask you: When you unplugged your ethernet card to uninstall the beta version, did you also disable the firewall before you removed it? Did you try to remove it via add/remove programs or do they have their own uninstaller?

abri

 

Yes, it was because of that, and what that error did if I allowed it through. I didn't consider suspending programs that were ran normal behavior.

It was also the fact that this only happened when I uninstalled the beta firewall. That's why I thought it was somehow directly related to Sunbelt... it just didn't seem to want me to uninstall it @_@

Both Enigma and SokobanYASC are Linux-based games that were ported over to Windows, and yes I intentionally installed those. But I have went ahead and uninstalled them (only played 'em once anyways ^_^).

As for D4, I have no idea what that is. All it has are two files in there that are completely empty, SyncHistory.dat and SyncHistoryServers.dat. Should I delete the folder?

I did not try to disable the firewall before I uninstalled it, and I wasn't aware there was a difference between using add/remove programs and an uninstaller that came with a program. :|

I actually use(d) CCleaner's uninstaller feature, as it is much more lightweight than Add/Remove programs.






Also, I have an update of my own. I talked to the Lead Software Test Engineer over at Sunbelt, and he advised me to upgrade to the latest beta version, which I wasn't aware I didn't have. Apparently their upgrade feature too is spotty @_@

But anyways, I upgraded the firewall, paranoid that the same problem would just repeat itself. Yet oddly enough, it went without a hitch. I got no more requests from foreign servers, despite my previous luck with uninstalling their software. I'm not sure what this means, but hey, I'm happy. My internet connection's not weirding out anymore, and I'm content with the new beta firewall.

I just have to remember to never uninstall it and attempt to switch to something else. >_<

 

Hi thrik,

I don't know what those two files are in the d4 folder. You could try moving the whole folder out of your computer and seeing if 1) they come back or 2) something doesn't work. There's not much information on them except that Kaspersky doesn't seem to find them significant. Alternatively, you could upload the files to jotti or VirusTotal or virus.org, Kaspersky and see if either of them puts up an alarm.

My main motto is never fix a working system. I doubt that they are malware, because you didn't have any malware, so it would not hurt for them to stay.


Please do the final cleanup instructions in the box below. If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri

 

Another update from the Sunbelt forums: http://beta.sunbelt-software.com/viewtopic.php?p=33670#33670

I think we got that one solved Man, what a headache @_@



Also, I followed the clean-up instructions as you posted above. Looks like this is wrapping up quite nicely

I do have a question though: Why am I to uninstall SuperAntiSpyware? My understanding of the program was that it is an excellent malware scanner, and that "it has a growing reputation as the one to use for detection and removal of hard-to-kill strains" (from Gizmo).

 

Hi thrik,

You can keep any of the software you want to. You're right, it's a great program! We just don't like to clutter up people's machines.

There's a thread over in the Drivers Forum about SyncMaster belonging to Samsung. Do you have Samsung equipment?

abri

 

No, I don't own any Samsung equipment, but it's quite possiblye it's something one of my friends uses (I live at a college).

So yeah now I've reinstalled SUPERAntiSpyware, and I'm happy. Thanks again for your help.

 

You're welcome!
Good luck with everything and enjoy your studies.
abri