Показано с 1 по 12 из 12.

End of the line, I completly give up

  1. #1
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56

    End of the line, I completly give up

    And am asking for help. Also have some information that those experts out there might find interesting. This particular critter I am dealing with sounds like it is related to the sinowal rootkit, and other boot sector types. However it has some qualities that I have not seen reported anywhere else yet.

    The problem I am having with it is thus. I have uninstalled all oses on all three of my infected computers, completely zeroed out the drives and reformatted with a slow deep format, only to have the same virus show up BEFORE i even finish the new installation procedure. The other particularly nice thing about this bug is that it works in my sabian linux as well as xp, vista, or OSx. Hows that for a good time? Since i noticed its presence, (much to late to keep all three computers from infecting eachother, (through bootable usb flash drives I think)) I have tried everything I can think of to remove this hijacker, including the fixbmr method, reflashing both machine code bios and video card bios, and nothing seems to work. I am completely at a loss. Borrowing a friends computer right now to write this, and even were I at home, I would have no os to do a scan of. I will try to get some logs and repost them. I have had some interesting ones, believe me. If nothing else, I would like some advice on weather I can salvage any components from these machines, as they were all very nice. Any advice, actually would be welcome, and I am sorry about the logs. I will try to post them later. I have a usb flash disk packed full of these ugly buggers if someone would like a sample to test. Please help me if you can.


    ok, I finally managed to get them after wrestling with it all night. I hope you know how hard it can be to do things when you have something fighting with you the whole time. It likes to turn off the mouse and keyboard on me, and other such tricks. Just out of curiosity, has anyone heard of such a sophisticated rootkit as this before? Cross platform? Possibly hardware resident? Its pretty scary. I hope I am wrong about all of that, because the ramifications are pretty scary. Anyway, here are my logs. They don't even look like much, not to me anyway. Please don't tell me you don't see anything wrong. If a more detailed description of the problem is needed, just ask. Ill write a essay. Thanks in advance for any and all time you might invest on this. Sorry for the semi bad attitude. Its been a long frustrating, ....well week actually. thanks again.
    Ps.... I think I managed to update avz before the scan, but Im not 100 percent sure....let me know what else I can do
    Последний раз редактировалось indigoash; 30.12.2008 в 17:04. Причина: add logs and update

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Without seeing of the logs we can say nothing about your problem.

  3. #3
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56
    ok i will try it this way
    Вложения Вложения
    Последний раз редактировалось Rene-gad; 30.12.2008 в 18:22.

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от indigoash Посмотреть сообщение
    ok i will try it this way
    It was nothing: Old version of Hijackthis + Not-Updated database of AVZ + quarantine in the topic!!! Pls. repeat all in accordance with our rules.

  5. #5
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56
    Heh, sorry. Like I said, its been a struggle. try this. and thanks. sorry for wasting your time.
    Вложения Вложения

  6. #6
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56
    hey one more thing if it helps. I am pretty sure that whatever this thing is doing to avoid formatting, it has something to do with my video card. There is an extra "multimedia device" listed in POST which wasn't there before, with the same slot number as vga, but different IRQ. Also problems with drivers, and performance make me pretty certain. Couple of other things as well, whole new set of hidden non plug and play drivers in device manager, including one called VGA SAVE. Obviously related to the rootkit in some kind of way, you can tell by the way it gets moved around and hidden. Almost enough driver store there for a little virtual machine. You think that is a possibility? Anyway, just conjecture. thanks again,

    Добавлено через 1 минуту

    hey one more thing if it helps. I am pretty sure that whatever this thing is doing to avoid formatting, it has something to do with my video card. There is an extra "multimedia device" listed in POST which wasn't there before, with the same slot number as vga, but different IRQ. Also problems with drivers, and performance make me pretty certain. Couple of other things as well, whole new set of hidden non plug and play drivers in device manager, including one called VGA SAVE. Obviously related to the rootkit in some kind of way, you can tell by the way it gets moved around and hidden. Almost enough driver store there for a little virtual machine. You think that is a possibility? Anyway, just conjecture. thanks again,
    Последний раз редактировалось indigoash; 30.12.2008 в 21:47. Причина: Добавлено

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    Well, first of all you can read this: http://www.pchell.com/support/nwprovau_dll_file.shtml
    Secondly, we would like to see copies of your files.

    In order to do this, please disable your's internet connection and ESET (nod32)
    execute this script:
    Код:
    begin
     SearchRootkit(true, true);
     SetAVZGuardStatus(True);
      QuarantineFile('C:\WINDOWS\System32\cscui.dll','');  
     QuarantineFile('C:\WINDOWS\system32\cisvc.exe','');
     BC_ImportAll;
     BC_Activate;
     RebootWindows(true);
     end.
    Please upload all your quarantine by http://virusinfo.info/upload_virus_eng.php?tid=36434
    Third : am i right, that you had deleted windows file -cisvc.exe ? It used for indexing service, so if you did disabled the indexing service on your disks- it is ok, but if you don't- it might be a problem. http://www.liutilities.com/products/...library/cisvc/

    P.S. good idea to fix in hijack this:
    Код:
    O13 - DefaultPrefix: 
    O13 - WWW Prefix: 
    O13 - Home Prefix: 
    O13 - Mosaic Prefix: 
    O13 - FTP Prefix: 
    O13 - Gopher Prefix:
    Последний раз редактировалось Rene-gad; 01.01.2009 в 20:59. Причина: script corrected

  8. #8
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56
    ok, good on the links. but there must be more code than that? or is there something more I dont understand?

    Добавлено через 6 минут

    never mind I got it. just had to reload. upload soon

    just curious, any advice for what I should do next? I didn't want to act on anything untill I hear from one of you guys. Also Kind of curious to hear what you found out about the monster. HAPPY NEW YEAR!!!!
    Последний раз редактировалось Rene-gad; 02.01.2009 в 20:07.

  9. #9
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    we did got from you files:
    AERTSrv.exe_, MMACEPrev.exe_
    virus analist told us that they are clean, what about files that i did request from you?

    C:\WINDOWS\System32\cscui.dll
    C:\WINDOWS\system32\cisvc.exe

    ?

  10. #10
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56
    Grrrrrrrr! I do Not know how that happened! This is an insidious infection. I could have sworn I sent the right files. Ok, let me try again. Sorry!!!!!!!!!!!!!

  11. #11
    Junior Member Репутация
    Регистрация
    23.12.2008
    Сообщений
    7
    Вес репутации
    56
    did you get them? Hope so. It is really hard to tell sometimes, because this thing gets way more active when it senses any kind of anti viral activity on my part. likes to obscure my view and make windows dissappear and the like. Anyway, I hope so.

    I am pretty sure its some kind of virtual machine, and I have collected lots of evidence to back this up. The only thing I cant figure out is where it could be stored. Not on the hard drives, I am certain of this. Have booted the machine cold after a bios flash with NO Hardrives installed using a known clean live linux disk and no network connection and viral activity persists. SHould I just give Up?

    Hope to hear more soon

    indigoash

  12. #12
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    well, avz couldn't archive them

    1)reason 1- they are clean system files
    2)reason 2- they aren't exist in your system
    3)some bug was accrued
    Don't give up
    Try to quarantine manually with zip
    Please put password for protection on zip archive "virus" or "infected" without the quotes, otherwise it will be lost.

    Did you tried to scan with cureit in safe mode ?
    Try it, perhaps it will find something. ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
    Make full scan manually for all discs.
    Let us know It should save in your profile a log of it's scanning, you can attach it here.

Похожие темы

  1. can you give me the script
    От mahouachi32 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 25.01.2010, 13:34
  2. Virus Won't give my Computer back
    От Pogo Stick в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 06.12.2009, 17:28
  3. kaspersky completly disabed
    От mouad2000 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 25.08.2009, 16:52
  4. give me a perfect solution from viruses
    От Mayank в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 02.08.2009, 15:16
  5. To give the result of my scan
    От rohit222 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 17.10.2008, 21:10

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00172 seconds with 20 queries