SIntfNT.dll

Hello! Please help. My computer wont start in standard mode. I’m currently in safe mode, using Win XP SP2, and avast home edition. All updated ( I believe), esp avast since its in automatic mode to download updates. Aside from Avast, I have ZoneAlarm firewall, Spyterminator as resident antispyware and do regular SuperAntispyware and Ad-Aware scanning.

I noticed that for the last two weeks, my drive D (secondary harddrive) suddenly disconnects or go missing. It was usually corrected thru reboot and system restore to earlier date. However, last night my rebooting didn’t worked and my restoring gave only blank screen. I made another restore from a different date when the most recent date didnt work, also blank screen. Since then, I cant restart in standard mode.

So while in safe mode, i made standard scan with avast, which found the SIntfNT.dll.vir, which coudnt be moved to chest, so I just chose move/rename. SuperAntispyware found some tracking cookies which I already deleted. I also did CCleaner and the default windows system clean disk.

Thinking it was the right thing to do, I renamed the SIntfNT.dll.vir into SIntfNT.dle.bir. Then I scheduled Avast for Bootscan and rebooted. For 7 hours, all I can see during the Avast scanning were continuously progressing “. . . . . . . . . . . . . . . .”. So after 7 hours, I stopped the Avast scanning then rebooted in standard mode, didn’t worked, only blank screen. And now Im in safe mode with networking. Luckily, my DSL worked so I was able to download hijack this.

Attached is the HJthis. Also, I renamed the SIntfNT.dll.vir back to its original name.

Thank you in advance for the help…

here’s the Avast warning report.

Hi nontech,

There was a SIntfNT.dll false positive with Avast in the past, do not know if it reappeared.

Upload the file to virustotal and give us the results of the various scanners, please.

Check if you have to latest java version, and update that.

Later we give you an analysis of your hjt log,

polonus

Hi Polonus,

Thanks for the quick response.

Here’s the link of the Virus Total report. http://www.virustotal.com/analisis/e6efe0cdfcda352d2c66a26bbee7113d

Only avast detected it as Win32:Trojan-gen {Other}, and esafe as Suspicious File

I have Java Version 6 Update 7, as per Java website, that’s the latest.

Regards,

Hi nontech,

Well, more than likely, due to general detection, a False Positive, add to exclusion list so it does not bother you, report to avast as a FP and they will correct it in one of the coming iAVS updates,

polonus

Hi Polonus,

File already put in exclusion.

I think I need to uninstall first avast to check if I can reboot in standard mode. The failed Avast bootscan still initializes whenever I try rebooting in standard mode. However, I think the bootscan has already stalled caused it just goes “…” for a long time. There are also errors in initialization of chest files. Please check the errors below:


RESUME:
Initialization of Chest files
Action was completed with errors!

ERROR REPORTS:
Program cannot use Chest client: (null)
—>Description: Virus chest server is not running. RPC communication failed.

DETAILED INFORMATIONS:
Initialization of Chest files

Program will try to load all Chest files from the following server: (null)

Action was completed with errors!


I dont know if it has something to do with being in safemode. So I’ll wait for your advise first before uninstalling avast. You might still need some data for analysis. Anyway, I already downloaded a new avast isetupeng and still have internet connections even in safe mode.

Hi nontech,

Install a non-resident scanner like DrWebCureIt and do a scan with it, download launch.exe from here:
ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Do not forget to update it to the latest version)
Report here what it found.
Do also a full scan with this SilentRunners from here: http://silentrunners.org/Silent%20Runners.vbs
Report what it found.
Now uninstall avast completely, and then re-install. Do not forget to copy your registration key with notepad and paste it later back into your new downloaded avast program.

Also add in add a txt file of a hijackthis log so we can analyze that.
Hijackthis can be downloaded here http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

P.S. Nothing much in your previous hjt log, all green, OK.

Hi Polonus,

  1. I cant update DrWeb. It always prompts me to download launch.exe. Here’s the result of the express scanning. However, I cant open it with the default .cvs extension and attaching it here was rejected since .cvs is not acceptable. So I save it in .txt. I dont know if I got it right how to save the report. But what I only saw was C:\ program files\superantispyware\saswinlo.dll - Trojan.Farealert.1239. Complete scanning is currently ongoing and many still are being detected. I’ll post the complete report later.

  2. I dont know if this is the right report for the silentrunner. Your link produced this file, which was done very very fast. So I tried the download from their website. Even I dont know how to read it, my guess is that the results were the same.

  3. I did not downloaded a new HJthis anymore since I notice that I have the updated one. V2.02. I just got it last night. I’ll do the HJthis once DRWeb is done.

HJThis and complete DRWeb reports to follow.

Many thanks.

Hello!

Attached are the latest HJthis and the complete DrWeb reports.

Thanks.

I have not read HJT’s since MEjian sold the program BUT
it does not take a patient read to see that you have AVG anti spyware available- good program
What did it find ?
can you update, run and post a log? or just run in safe mode and post the log?
Did you ever have AVG AV installed? (or any other AV?)

did your Ad-Aware scan find anything? Ad-aware should run in safe mode

comment 2
once you get some of this sorted out I’m sure Polonus will want to see HJT in standard mode as many things are not running in Safe Mode

and you ran an AVAST scan in safe mode and put hit’s in the Chest- Right

Do you have both Spywareterminator real time and AVG-AS running in real time?

Lots of Toolbars and BHO’s Whoopee

best have polonus sort this out

Hi Wyrmrider,

AVG and Ad-aware are both freewares only. My realtime spyware shield is Spyware Teminator. I updated them both and did complete scans (in standard mode), however, I cant find the reports. Could be settings twickings only. I’ll try again in safemode. Anyway, both found tracking cookies only.

I have only Avast as my AV. I tried some AVs before but only Avast works for me, so I stayed loyal to Avast.

As instructed, attached is the HJT in standard mode.

Hi Polonus,
After doing all your instructions and deleting/reinstalling Avast, I was able to boot in standard mode. Bootscan successfully completed. No infected files found. Attached is the report.

But I’m not yet sure if I’m totally cured, so I’ll wait for your advise.

Best regards,

Hi nontech,

Fix this with hijackthis:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Because:
Unnecessary (deactivated) entry that can be fixed.

What make you think you are still not completely out of the woods, signs for that?
Just perform a scan with MBAM : http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Do a full scan and attach the log to your following posting.

polonus

Hi Polonus,

HJT fix done as instructed.

Regards,
nontech

Hi Polonus,

The computer hanged twice earlier, right after I was able to boot in standard mode again. I also feel the bootup is a little bit slower than before. That is why I suspected that I might not yet clean. Malwarebytes still got 3 infected files. Attached is the report.

Thank you.

Hi nontech,

WhoisCL.exe is not harmful to the OS but I’ve found that it uses loads of CPU, between 30-40 %. I’m not sure if it’s happened to others but I certainly don’t like this little executable file. Ending the process for good may largely improve performance.

CmdLineExt03.dll is is a dll typically used by games to prevent illegal CD copying, and Diablo2. Could be a FP, if you are not in gaming it can be a hack file. Better be without.

polonus

Hi nontech,

I would also advise you to do a good cleansing routine with ATF Ckleaner from here: http://majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a
Also use ClearProg and tick all to cleanse. ClearProg to be downloaded here: http://www.clearprog.de/site.php?id=10&lang=en

polonus (malware fighter)

Hi Polonus,

All cleaning instructions done. Thank thank you very much, non-techy like me cant say enough. My 5yo daughter has been complaining of “boring days” and keeps on bugging me if the computer is already fixed so she can play her online games (mostly barbies and Cbeebies). She’s still sleeping, but pretty sure this is going to be a peaceful day for me. ;D

Again, thank you, Polonus and Wyrmride.

Nontech

PS: I noticed that whenever I open a folder (using windows explorer) the folder only shows the First Letter in the toolbar at the taskbar below. Ex: for folder LOGS, only L is shown. But Filemes and Fox show the complete names. I’m not sure if this is normal, didn’t take notice before, or am I just being paranoid. thanks

http://forum.avast.com/index.php?topic=38159.msg319576#msg319576
lots of SintfNT.dll going around

Hi Wyrmrider,

I think mine was an FP. If I got it right, my problem started when my trial version of Abra Academy expired. Since even though it has already expired, I can still play the game for 5 mins. So when the 5 mins expires, I just click it again and play for another 5 mins. The opening and closing sometimes goes on, around 20x maybe, in one sitting. But since the Abra file is located at the secondary harddrive D, my PC maybe got tired of getting the program always, that’s when my drive D started to go missing.

But as I have said, I am not a techy person, so that is just my simple analysis on how it all started. :smiley: By the way, all downloaded files (including Avast before) are in drive D. So when Drive D got disconnected, Avast also stops. But I saw it now that Alwil Software files are in primary Drive C already.

Thanks again for the much needed support.