Показано с 1 по 7 из 7.

Infected already when install clean xp pro.

  1. #1
    Junior Member Репутация
    Регистрация
    04.12.2008
    Сообщений
    4
    Вес репутации
    34

    Infected already when install clean xp pro.

    I dont get it.
    Get strange failure in windows error log already from start.
    I have DOD the drive low formatting tried everything. itґs
    still there.

    (in clean windows xp without even beeing on internet and new install)
    If i use procexp from sysinternals to view user access to the svchost processes i can see Questionmarked users and that everyone is allowed.

    When i start up my computer the screen blinks for a while before i can log in.
    Dont know where to start. seeing to much when i investigate it myself.

    I suffered from this about a year now and formatting, zero fill the harddrive many times but itґs still there.

    Spyboot search and destroy reports smitfraud-c in rundll32.exe etc.

    take a look at the logs and everything i send. (i send over setuperr from installing winxp pro too) inklusive the logs according to ґthe rulesґ

    This seem to be something that can survive in mbr.

    If it is then it would be great if itґs possible to find a solution to this so we altogheter could get rid of this as it does not show itself that easily.

    little info from windows log when itґs clean.
    1 event 63
    A provider, HiPerfCooker_v1, has been registered in the WMI namespace,
    Root\WMI, to use the LocalSystem account. This account is privileged and
    the provider may cause a security violation if it does not correctly
    impersonate user requests.

    2 event 63
    A provider, CmdTriggerConsumer, has been registered in the WMI namespace,
    Root\cimv2, to use the LocalSystem account. This account is privileged
    and the provider may cause a security violation if it does not correctly
    impersonate user requests.

    3 event 5603
    A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace,
    root\RSOP, but did not specify the HostingModel property.
    This provider will be run using the LocalSystem account.
    This account is privileged and the provider may cause a security violation
    if it does not correctly impersonate user requests.
    Ensure that provider has been reviewed for security behavior and update
    the HostingModel property of the provider registration to an account with
    the least privileges possible for the required functionality.

    Yes i know that microsoft says that this can occur if you install an service
    pack, but this seem to be something else...

    using winobj from sysinternals i can see alot of strange things:
    WBEM open for business?? whats that?

    Sincerely Tommy
    Вложения Вложения

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    3000
    Perhaps you've got a file virus. Pls. check a system in safe mode with CureIt or AVPTool. AVZ cannot fight against file viruses.

  3. #3
    Junior Member Репутация
    Регистрация
    04.12.2008
    Сообщений
    4
    Вес репутации
    34
    Цитата Сообщение от Rene-gad Посмотреть сообщение
    Perhaps you've got a file virus. Pls. check a system in safe mode with CureIt or AVPTool. AVZ cannot fight against file viruses.
    Hi! Thanks for reply.

    I tested what tou said though i have tested this already.

    Started up in safemode, run cureit -> found nothing.
    run Kaspersky avp tool. Doesnt work quitting processes for some reasons.

    But i have a vista installations cd which i booted and from there i tried to
    run AVPTool and it worked. Now the strange things it did found trojan..

    here it is:

    AVPTool Installations file:
    ================
    Infected: Trojan program Trojan-Spy.Win32.KeyLogger.bhg c:\documents and settings\tommy\desktop\latest\setup_7.0.0.290_08.1 2.2008_00-38.exe.

    it said that file 019 is infected.

    I would beleve that the infected file somehow does not come with the tool
    but get infected in another way. maybe when i download things.

    That could also be an indication why it refuses to run normally on my xp.

    dont really know.

    Please i would be very glad if we could solve this out.

    I want to tell you that it seems to merge old versions of example Media player
    where it is known to be many securety vulnerables. and it tries to stop uninstall or upgrade.

    In the beginning when i bought this computer i get Stealth mbr rootkit warning
    by GMER - a-rootkit. But nothing seems to get rid of it if it was not false alarm.

    Another things i can view with AVP tool is ms .net version i downloaded and newest direct-x dist. it tells me that they all is corrupted in streams and such
    behind the msi packet from ms. (very good feature from AVP-Tool)

    I have secunia PSI installed who warns me that everything is patched and such with warnings.

    The system accounts has take over everything so i was forced to change the starting account for many services to my account. (services.msc)
    Had to turn of WinMgmt because it begun to take 2000 mb in ram..

    By the way when i runned in vista boot. the AVPTool find an unknown
    infections:

    Possibly infected: new threat Hidden.Object (modification) X:\System Volume Information.

    it where the vista cd put its content in a ram partition which should be
    locked.

    yes i think as you said that it is virus infected files. But i strongly suspect
    they are hidden by Rootkit.

    If i run combofix it said i have to reboot because rootkit activity.

    I have send over some logs when i runned AvPTool in vista cd boot option where it is a dos prompt to run things from.

    Send over a dmp file of mchInjDrv that is existing on my system.

    Send over Start.exe rename to start.exe.tom where it AVP-Tool reported
    th trojan.

    /Tommy

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    3000
    either you'll make 3 log files as described in the rules or I'll close this topic.

  5. #5
    Junior Member Репутация
    Регистрация
    04.12.2008
    Сообщений
    4
    Вес репутации
    34
    Ok i will. Excuse me for this.

  6. #6
    Junior Member Репутация
    Регистрация
    04.12.2008
    Сообщений
    4
    Вес репутации
    34

    Supply Logs

    Цитата Сообщение от Tommy.L Посмотреть сообщение
    Ok i will. Excuse me for this.
    I did send logfiles but maybe they didnt get through or i did wrong.

    Sorry for that

    /Tommy
    Вложения Вложения

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    3000
    I cannot find any malicious in your log files

Похожие темы

  1. Can't Install KIS Update - May Be Infected!
    От Xana в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 22.08.2010, 12:54
  2. Laptop Infected - Kaspersky IS 2010 Cannot Completely Install
    От invictus28 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 07.12.2009, 14:39
  3. Ответов: 10
    Последнее сообщение: 22.02.2009, 07:16
  4. Ответов: 8
    Последнее сообщение: 10.05.2008, 19:35
  5. How do I clean an infected USB media card?
    От Simple10 в разделе Computer security
    Ответов: 4
    Последнее сообщение: 26.02.2008, 14:22

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01230 seconds with 17 queries