Показано с 1 по 13 из 13.

lets see what we can do....

  1. #1
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59

    lets see what we can do....

    my computer has major issues... help
    Последний раз редактировалось james001; 20.04.2008 в 07:24.

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    Welcome

    D:\autorun.inf
    and i would like to see all msiexec.exe that you can find on your system. Zip them with password " virus" without quotes . Send us by : http://virusinfo.info/upload_virus_eng.php?tid=17930
    You should temporary disable other protection software while running investigation tool like avptool in your case. Disconnect from the interenet while doing so, in order to not get some new "things"

  3. #3
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59
    thank you for your warm welcome... what do I do with this information **D:\autorun.inf ** delete it? and how exactly do I gather all of my **msiexec.exe** from my system?

    My pc is badly infested... (I can hardly connect to the net) and I'm not that computer savy yet
    jamesboucher.blogspot.com

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от james001 Посмотреть сообщение
    .. what do I do with this information ..
    drongo whrote all of how-to instructions. PLEASE READ POSTING #2 ATTENTIVELY .
    Thank you.

  5. #5
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    Here an example how to search : http://virusinfo.info/showthread.php?t=9208 You will need to download the avz( http://z-oleg.com/avz4.zip ), extract everything in archive to some new folder.
    I didn't told you to delete anything yet.
    Just make a copy of them and send us like i did told you in post #2
    Последний раз редактировалось drongo; 13.02.2008 в 00:35.

  6. #6
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59
    my apologies.. I had a hard time understanding exactly what he was instructing me to do.. I know little about computers. I'll study the information and figure it out.

    I don't know if this helps at all but I ran a norton antivirus scan manually from a disc.. the results said no virus was detected... but when I checked for helperrors it reported this -

    dos error levels navdx returns
    0. no errors occurred and no viruses were found
    10. a virus was found in memory.
    11. an internal program error occurred
    13. one or more viruses were found in the master boot record, boot sector, or files
    15. navdx self-check failed; it may be infected or damaged
    102. ctrl-c or ctrl-break was used to interrupt the scan

    so apparently I have viruses in memory, master boot record, boot sector and files...

    Добавлено через 1 минуту

    Цитата Сообщение от drongo Посмотреть сообщение
    Here an example how to search : http://virusinfo.info/showthread.php?t=9208 You will need to download the avz( http://z-oleg.com/avz4.zip ), extract everything in archive to some new folder.
    I didn't told you to delete anything yet.
    Just make a copy of them and send us like i did told you in post #2
    ok it should be all done an uploaded zipped with password virus....
    Последний раз редактировалось james001; 13.02.2008 в 04:26. Причина: Добавлено
    jamesboucher.blogspot.com

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    Цитата Сообщение от james001 Посмотреть сообщение



    ok it should be all done an uploaded zipped with password virus....
    Indeed The question is when ?
    So far you did send us via http://virusinfo.info/upload_virus_eng.php?tid=17930 logs of the avptool, i don't know why , maybe you can explain?

  8. #8
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59
    Цитата Сообщение от drongo Посмотреть сообщение
    Indeed The question is when ?
    So far you did send us via http://virusinfo.info/upload_virus_eng.php?tid=17930 logs of the avptool, i don't know why , maybe you can explain?
    mmm.. incompetence? yes that's my excuse.. this time I uploaded -
    does this help?
    Последний раз редактировалось james001; 20.04.2008 в 07:24.
    jamesboucher.blogspot.com

  9. #9
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    @james001
    Please make step-for-step the 5 steps, as shown in the pictures.
    Than change to \\AVZ4\LOG, you'll find 2 ZIP-Files. Please upload these files.
    If it's too difficult for you, pls. search anybody in Riga to help you.
    Последний раз редактировалось Rene-gad; 17.05.2008 в 16:30.

  10. #10
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59
    ok. I followed step for step your instructions... but when I tried to change to the log (while saving?) to \\AVZ4\LOG my computer would not let me... I tried to save the log but that was hit or miss too... my computer is being difficult. I uploaded what I could save (at the bottom of post) and I will just post the results here... don't shoot me please... hehe


    AVZ Antiviral Toolkit log; AVZ version is 4.29
    Scanning started at 2/14/2008 11:11:24 AM
    Database loaded: signatures - 149769, NN profile(s) - 2, microprograms of healing - 55, signature database released 14.02.2008 14:39
    Heuristic microprograms loaded: 370
    SPV microprograms loaded: 9
    Digital signatures of system files loaded: 69360
    Heuristic analyzer mode: Maximum heuristics level
    Healing mode: enabled
    Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
    System Restore: enabled
    1. Searching for Rootkits and programs intercepting API functions
    1.1 Searching for user-mode API hooks
    Analysis: kernel32.dll, export table found in section .text
    Analysis: ntdll.dll, export table found in section .text
    Analysis: user32.dll, export table found in section .text
    Analysis: advapi32.dll, export table found in section .text
    Analysis: ws2_32.dll, export table found in section .text
    Analysis: wininet.dll, export table found in section .text
    Analysis: rasapi32.dll, export table found in section .text
    Analysis: urlmon.dll, export table found in section .text
    Analysis: netapi32.dll, export table found in section .text
    1.2 Searching for kernel-mode API hooks
    Driver loaded successfully
    SDT found (RVA=082680)
    Kernel ntoskrnl.exe found in memory at address 804D7000
    SDT = 80559680
    KiST = 804E26A8 (284)
    Function NtConnectPort (1F) intercepted (8058A800->84D0DB4, hook not defined
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtOpenProcess (7A) intercepted (80572D06->84E8622, hook not defined
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtOpenThread (80) intercepted (8058C806->84DFEF00), hook not defined
    >>> Function restored successfully !
    >>> Hook code blocked
    Functions checked: 284, intercepted: 3, restored: 3
    1.3 Checking IDT and SYSENTER
    Analysis for CPU 1
    Checking IDT and SYSENTER - complete
    1.4 Searching for masking processes and drivers
    Searching for masking processes and drivers - complete
    2. Scanning memory
    Number of processes found: 44
    Analyzer: process under analysis is 1308 c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    [ES]:Contains network functionality
    [ES]istens on TCP ports !
    [ES]:Application has no visible windows
    [ES]oads RASAPI DLL - may use dialing ?
    Analyzer: process under analysis is 1380 c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    Analyzer: process under analysis is 1480 c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    Analyzer: process under analysis is 156 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    [ES]:Application has no visible windows
    Analyzer: process under analysis is 296 c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    Analyzer: process under analysis is 1040 C:\Program Files\Norton AntiVirus\SAVScan.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    [ES]:Is probably capable of resisting anti-virus programs
    Analyzer: process under analysis is 2124 C:\windows\system\hpsysdrv.exe
    [ES]:Application has no visible windows
    [ES]ocated in system folder
    [ES]:Registered in autoruns !!
    Analyzer: process under analysis is 2216 C:\WINDOWS\system32\hphmon06.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    [ES]ocated in system folder
    [ES]:Registered in autoruns !!
    Analyzer: process under analysis is 2248 C:\HP\KBD\KBD.EXE
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    [ES]:Registered in autoruns !!
    [ES]oads RASAPI DLL - may use dialing ?
    Analyzer: process under analysis is 2392 C:\Program Files\iTunes\iTunesHelper.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    [ES]:Registered in autoruns !!
    Analyzer: process under analysis is 2428 C:\Program Files\iPod\bin\iPodService.exe
    [ES]:Application has no visible windows
    Analyzer: process under analysis is 2468 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    [ES]:Contains network functionality
    [ES]istens on TCP ports !
    [ES]:Application has no visible windows
    [ES]:Registered in autoruns !!
    [ES]oads RASAPI DLL - may use dialing ?
    Analyzer: process under analysis is 2044 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    [ES]:Contains network functionality
    [ES]:Application has no visible windows
    [ES]:Registered in autoruns !!
    [ES]oads RASAPI DLL - may use dialing ?
    Number of modules loaded: 415
    Scanning memory - complete
    3. Scanning disks
    Direct reading C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
    C:\Python22\Lib\site-packages\win32\win32popenWin9x.exe >>> suspicion for Trojan-PSW.Win32.Agent.lw ( 0044E1F4 08CD5FC5 00000000 00000000 20480)
    4. Checking Winsock Layered Service Provider (SPI/LSP)
    LSP settings checked. No errors detected
    5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
    6. Searching for opened TCP/UDP ports used by malicious programs
    Checking disabled by user
    7. Heuristic system check
    >>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    File quarantined succesfully (D:\autorun.inf)
    Checking - complete
    8. Searching for vulnerabilities
    >> Services: potentially dangerous service allowed: TermService (Terminal Services)
    >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
    >> Services: potentially dangerous service allowed: Messenger (Messenger)
    >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
    >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
    > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    >> Security: disk drives' autorun is enabled
    >> Security: administrative shares (C$, D$ ...) are enabled
    >> Security: anonymous user access is enabled
    >> Security: sending Remote Assistant queries is enabled
    Checking - complete
    9. Troubleshooting wizard
    Checking - complete
    Files scanned: 97539, extracted from archives: 75970, malicious software found 0, suspicions - 1
    Scanning finished at 2/14/2008 11:50:49 AM
    !!! Attention !!! Recovered 3 KiST functions during Anti-Rootkit operation
    This may affect execution of several programs, so it is strongly recommended to reboot
    Time of scanning: 00:39:28
    If you have a suspicion on presence of viruses or questions on the suspected objects,
    you can address http://virusinfo.info conference
    Creating archive of files from Quarantine
    Creating archive of files from Quarantine - complete
    System Analysis in progress
    System Analysis - complete
    Последний раз редактировалось james001; 20.04.2008 в 07:24.
    jamesboucher.blogspot.com

  11. #11
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    @james001
    VERY IMPORTANT: IT IS ALLOWED TO HAVE ONLY 1 ANTIVIRUS. PLEASE JUST BEFORE MAKING THE NEW SCRIPT REMOVE ALL ANTIVIRUS PROGRAMS BUT ONE YOUR CHOICE.
    Make a script: AVZ->File->Custom Script, copy my script with Copy-Paste in the white window, press the button Run.
    Код:
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     QuarantineFile('D:\autorun.inf','');
     DeleteFile('D:\autorun.inf');
     BC_DeleteFile('D:\autorun.inf');
    BC_ImportDeletedList;
    BC_Activate;
    RebootWindows(true);
    end.
    After reboot make 3 new logfiles and upload them:
    1. virusinfo_syscure.zip
    2. virusinfo_syscheck.zip
    3. hijackthis.log
    NO MORE FILES OR TEXTS ARE NECESSARY!!!
    NB: You shouldn't upload file virusinfo_cure.zip , instead of it we need the Hijackthis-Logfile (pls. read our rules from chapter 5 once more & this link: http://www.trendsecure.com/portal/en...hijackthis/faq ).

  12. #12
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59
    Ok I ran the script and here are the new logs...
    Последний раз редактировалось james001; 20.04.2008 в 07:24.
    jamesboucher.blogspot.com

  13. #13
    Junior Member Репутация
    Регистрация
    12.02.2008
    Сообщений
    24
    Вес репутации
    59
    Well how does this look now? My computer is still having major problems.
    jamesboucher.blogspot.com

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01573 seconds with 18 queries