PDA

Просмотр полной версии : lets see what we can do....



james001
12.02.2008, 15:18
my computer has major issues... help

drongo
12.02.2008, 17:06
Welcome :)

D:\autorun.inf
and i would like to see all msiexec.exe that you can find on your system. Zip them with password " virus" without quotes . Send us by : http://virusinfo.info/upload_virus_eng.php?tid=17930
You should temporary disable other protection software while running investigation tool like avptool in your case. Disconnect from the interenet while doing so, in order to not get some new "things"

james001
12.02.2008, 22:16
thank you for your warm welcome... what do I do with this information **D:\autorun.inf ** delete it? and how exactly do I gather all of my **msiexec.exe** from my system?

My pc is badly infested... (I can hardly connect to the net) and I'm not that computer savy yet

Rene-gad
13.02.2008, 00:03
.. what do I do with this information ..drongo whrote all of how-to instructions. PLEASE READ POSTING #2 ATTENTIVELY .
Thank you.

drongo
13.02.2008, 00:25
Here an example how to search : http://virusinfo.info/showthread.php?t=9208 You will need to download the avz( http://z-oleg.com/avz4.zip ), extract everything in archive to some new folder.
I didn't told you to delete anything yet.
Just make a copy of them and send us like i did told you in post #2

james001
13.02.2008, 04:26
my apologies.. I had a hard time understanding exactly what he was instructing me to do.. I know little about computers. I'll study the information and figure it out.

I don't know if this helps at all but I ran a norton antivirus scan manually from a disc.. the results said no virus was detected... but when I checked for helperrors it reported this -

dos error levels navdx returns
0. no errors occurred and no viruses were found
10. a virus was found in memory.
11. an internal program error occurred
13. one or more viruses were found in the master boot record, boot sector, or files
15. navdx self-check failed; it may be infected or damaged
102. ctrl-c or ctrl-break was used to interrupt the scan

so apparently I have viruses in memory, master boot record, boot sector and files...

Добавлено через 1 минуту


Here an example how to search : http://virusinfo.info/showthread.php?t=9208 You will need to download the avz( http://z-oleg.com/avz4.zip ), extract everything in archive to some new folder.
I didn't told you to delete anything yet.
Just make a copy of them and send us like i did told you in post #2

ok it should be all done an uploaded zipped with password virus....

drongo
13.02.2008, 22:28
ok it should be all done an uploaded zipped with password virus....
Indeed ;) The question is when ?
So far you did send us via http://virusinfo.info/upload_virus_eng.php?tid=17930 logs of the avptool, i don't know why , maybe you can explain?

james001
14.02.2008, 16:17
Indeed ;) The question is when ?
So far you did send us via http://virusinfo.info/upload_virus_eng.php?tid=17930 logs of the avptool, i don't know why , maybe you can explain?

mmm.. incompetence? yes that's my excuse.. this time I uploaded -
does this help?

Rene-gad
14.02.2008, 16:36
@james001
Please make step-for-step the 5 steps, as shown in the pictures.
Than change to \\AVZ4\LOG, you'll find 2 ZIP-Files. Please upload these files.
If it's too difficult for you, pls. search anybody in Riga to help you.

james001
15.02.2008, 02:38
ok. I followed step for step your instructions... but when I tried to change to the log (while saving?) to \\AVZ4\LOG my computer would not let me... I tried to save the log but that was hit or miss too... my computer is being difficult. I uploaded what I could save (at the bottom of post) and I will just post the results here... don't shoot me please... hehe


AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 2/14/2008 11:11:24 AM
Database loaded: signatures - 149769, NN profile(s) - 2, microprograms of healing - 55, signature database released 14.02.2008 14:39
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 69360
Heuristic analyzer mode: Maximum heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=082680)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 80559680
KiST = 804E26A8 (284)
Function NtConnectPort (1F) intercepted (8058A800->84D0DB48), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (80572D06->84E86228), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (8058C806->84DFEF00), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 284, intercepted: 3, restored: 3
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Searching for masking processes and drivers - complete
2. Scanning memory
Number of processes found: 44
Analyzer: process under analysis is 1308 c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1380 c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1480 c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 156 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 296 c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1040 C:\Program Files\Norton AntiVirus\SAVScan.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Is probably capable of resisting anti-virus programs
Analyzer: process under analysis is 2124 C:\windows\system\hpsysdrv.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 2216 C:\WINDOWS\system32\hphmon06.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 2248 C:\HP\KBD\KBD.EXE
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 2392 C:\Program Files\iTunes\iTunesHelper.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 2428 C:\Program Files\iPod\bin\iPodService.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 2468 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 2044 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 415
Scanning memory - complete
3. Scanning disks
Direct reading C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
C:\Python22\Lib\site-packages\win32\win32popenWin9x.exe >>> suspicion for Trojan-PSW.Win32.Agent.lw ( 0044E1F4 08CD5FC5 00000000 00000000 20480)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
>>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
File quarantined succesfully (D:\autorun.inf)
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Messenger (Messenger)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 97539, extracted from archives: 75970, malicious software found 0, suspicions - 1
Scanning finished at 2/14/2008 11:50:49 AM
!!! Attention !!! Recovered 3 KiST functions during Anti-Rootkit operation
This may affect execution of several programs, so it is strongly recommended to reboot
Time of scanning: 00:39:28
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
System Analysis - complete

Rene-gad
15.02.2008, 13:41
@james001
VERY IMPORTANT: IT IS ALLOWED TO HAVE ONLY 1 ANTIVIRUS. PLEASE JUST BEFORE MAKING THE NEW SCRIPT REMOVE ALL ANTIVIRUS PROGRAMS BUT ONE YOUR CHOICE.
Make a script: AVZ->File->Custom Script, copy my script with Copy-Paste in the white window, press the button Run.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('D:\autorun.inf','');
DeleteFile('D:\autorun.inf');
BC_DeleteFile('D:\autorun.inf');
BC_ImportDeletedList;
BC_Activate;
RebootWindows(true);
end.
After reboot make 3 new logfiles and upload them:
1. virusinfo_syscure.zip
2. virusinfo_syscheck.zip
3. hijackthis.log
NO MORE FILES OR TEXTS ARE NECESSARY!!!
NB: You shouldn't upload file virusinfo_cure.zip :), instead of it we need the Hijackthis-Logfile (pls. read our rules (http://virusinfo.info/showthread.php?t=9184) from chapter 5 once more & this link: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/faq ).

james001
15.02.2008, 23:04
Ok I ran the script and here are the new logs...

james001
18.02.2008, 00:02
Well how does this look now? My computer is still having major problems.