Показано с 1 по 13 из 13.

Malware killed my connection

  1. #1
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51

    Malware killed my connection

    Something has got into my syste and is killing off all executables and has seemingly disabled my internet explorer connections.

    I managed to kill off the malware by opening multiple task managers so that it spent a huge amount of time trying to close them whilst I scoured one session looking for the hooky process, which I eventually found and killed.

    I didn't have time to note the name, but I reckon I could recreate the conditions if I reboot.

    I did manage to run the Manual Disinfection by the same type of tactic and I will upload it here for you.

    Any assistance will be gratefully received as my box is currently useless and it seems nothing but a rebuild is going to fix it.

    Cheers,

    Ian

    Additional Note - My PC now won't boot up into standard mode, gets to "Welcome . . ." and the restarts. I can only get into Safe Mode. I am now officially unhappy
    Последний раз редактировалось Sully2010; 18.07.2010 в 04:39.

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Close/unload all the programs excepted AVZ and Internet Explorer

    Switch off:
    - Antivirus and and, if you have - Firewall.
    - System Restore

    - Execute following script in Manual Healing
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    ClearQuarantine;
     QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\pvlaolbae\vucalggtssd.exe','');
     QuarantineFile('c:\documents and settings\localservice\local settings\application data\pvlaolbae\vucalggtssd.exe','');
     TerminateProcessByName('c:\documents and settings\localservice\local settings\application data\pvlaolbae\vucalggtssd.exe');
     DeleteFile('c:\documents and settings\localservice\local settings\application data\pvlaolbae\vucalggtssd.exe');
     RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','rpjjkgke');
     RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','rpjjkgke');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','rpjjkgke');
     DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\pvlaolbae\vucalggtssd.exe');
    ExecuteWizard('TSW', 2, 2, true);
    ExecuteWizard('SCU', 2, 2, true);
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    After reboot:
    - Execute following script in Manual Healing
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');    
    end.
    - Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=83302
    - Make a new log file.
    - Attach a new log to your new post..

  3. #3
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51

    New Log

    Things are looking good, but I will won't jump the gun.

    New log attached, I await your response.

    Cheers,

    Ian

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    - Execute following script in Manual Healing
    Код:
    begin
    ClearQuarantine;
     QuarantineFile('C:\Documents and Settings\Ian Sullivan\Local Settings\Temp\swt-win32-3449.dll','');
    end.
    After reboot:
    - Execute following script in Manual Healing
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');    
    end.
    - Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=83302

  5. #5
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51
    Quarantine file uploaded

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от Sully2010 Посмотреть сообщение
    Quarantine file uploaded
    the file is clean. Any problem more?

  7. #7
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51
    Firstly, thanks for helping me get out of the first part of the mess, I really appreciate it.

    The rootkit now seems to be gone, but a couple of effects remain:

    1. I can't gain access to the internet via either Chrome or IE.

    Chrome error:

    Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error.

    IE diag log:

    Last diagnostic run time: 07/18/10 16:55:22 HTTP, HTTPS, FTP Diagnostic
    HTTP, HTTPS, FTP connectivity

    info HTTPS: Successfully connected to www.microsoft.com.
    warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
    info FTP (Passive): Successfully connected to ftp.microsoft.com.
    warn HTTP: Error 12029 connecting to www.hotmail.com: A connection with the server could not be established
    error Could not make an HTTP connection.
    info Redirecting user to support call


    2. My physical DVD drive is not present in explorer. I also notice that my Magic ISO drives have disappeared.

    In Device manager my physical drive and both Magic ISO drives have the following error:

    Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

    I assume that the rootkit didn't want me either booting from an optical or applying anything direct from the internet to help kill it and so it has disabled these components somehow.

    Any ideas?

    Добавлено через 20 минут

    OK, I ran Hijackthis and could see that the rootkit had run me through a proxy, I have disabled "use Proxy" in Internet Options and I am now back online. Anything else I should do about this?
    Последний раз редактировалось Sully2010; 18.07.2010 в 20:26. Причина: Добавлено

  8. #8
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51

    Hijackthis Log

    This might help

  9. #9
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от Sully2010 Посмотреть сообщение
    This might help
    No, this might not. There are not any malware traces either in AVPTool or Hijackthis-Log.

    Pls. see here: http://www.google.de/search?q=Error+...GLL_de___DE371

  10. #10
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51
    Well, Internet is working again so I am happy about that.

    Any ideas on what has happened to my optical subsystem and what I can do about it?

  11. #11
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от Sully2010 Посмотреть сообщение
    Well, Internet is working again so I am happy about that.
    What did you do here?
    Цитата Сообщение от Sully2010 Посмотреть сообщение
    Any ideas on what has happened to my optical subsystem and what I can do about it?
    You can ask any specialist in your area.

  12. #12
    Junior Member Репутация
    Регистрация
    18.07.2010
    Сообщений
    7
    Вес репутации
    51
    Internet was restored by un-checking the Use Proxy Server tick-box (Internet Options\Connections\Lan Settings) the after I saw this line in the Hijackthis Log:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5643

    I have now restored the Optical subsystem by Uninstalling them from Device Manager and rebooting.

    Thanks for all your help here, I am a seasoned IT worker but having an SME in a field alien to me on hand and ready to help like this is really appreciated!

    I just wish my co-workers were more like this . . .

  13. #13
    Cybernetic Helper Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    29.12.2008
    Сообщений
    48,233
    Вес репутации
    977

    Итог лечения

    Статистика проведенного лечения:
    • Получено карантинов: 4
    • Обработано файлов: 19
    • В ходе лечения обнаружены вредоносные программы:
      1. c:\documents and settings\localservice\local settings\application data\pvlaolbae\vucalggtssd.exe - Trojan-Ransom.Win32.XBlocker.axp ( AVAST4: Win32:Zbot-MUO [Trj] )


Похожие темы

  1. Scanner received signal Killed(9)
    От Antony в разделе Помогите!
    Ответов: 0
    Последнее сообщение: 27.04.2011, 22:13
  2. Connection Tray
    От Pawlentius в разделе Помогите!
    Ответов: 3
    Последнее сообщение: 19.07.2010, 20:15
  3. z-connection
    От Sniperok в разделе Помогите!
    Ответов: 3
    Последнее сообщение: 14.04.2009, 04:32
  4. Braviax.exe and possibly Mondo virus - Kaspersky Killed
    От 8Networks_Tom в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 05.09.2008, 18:34

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01208 seconds with 19 queries