Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antivirus 2009 [Solved]

Started by Cdn_Red , Jul 10 2009 08:18 AM

  • This topic is locked This topic is locked

#46
chamber
Posted 01 August 2009 - 03:15 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi Cdn_Red,

Lets give this a whack.

Download SysProt Antirootkit to your desktop from HERE.
  • Unzip it into a folder on your desktop.
  • Double-click Sysprot.exe
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • A log file named SysProtLog.txt will be saved automatically in the same folder. Open the text file and copy/paste the log here.

  • 0

Advertisements

#47
Cdn_Red
Posted 01 August 2009 - 07:31 PM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi,

When the program started, it gave me an error message that said something along the lines of "Failed to start" because I didn't have Admin priveleges. It ran anyway and although it didn't want to close, it produced the following log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Processes found

******************************************************************************************
******************************************************************************************
No Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: ROBERT-PC:49160
Remote Address: F2.6.5646.STATIC.THEPLANET.COM:HTTP
Type: TCP
Process: 704 (PID)
State: CLOSE_WAIT

Local Address: ROBERT-PC:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: ROBERT-PC:49159
Remote Address: 0.0.0.0:0
Type: TCP
Process: 560 (PID)
State: LISTENING

Local Address: ROBERT-PC:49158
Remote Address: 0.0.0.0:0
Type: TCP
Process: 548 (PID)
State: LISTENING

Local Address: ROBERT-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1364 (PID)
State: LISTENING

Local Address: ROBERT-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 948 (PID)
State: LISTENING

Local Address: ROBERT-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: 472 (PID)
State: LISTENING

Local Address: ROBERT-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 776 (PID)
State: LISTENING

Local Address: ROBERT-PC:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: ROBERT-PC:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: ROBERT-PC:LLMNR
Remote Address: NA
Type: UDP
Process: 1072 (PID)
State: NA

Local Address: ROBERT-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: 1008 (PID)
State: NA

Local Address: ROBERT-PC:500
Remote Address: NA
Type: UDP
Process: 1008 (PID)
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found
  • 0

#48
chamber
Posted 02 August 2009 - 09:58 AM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi,

Quick question, did you right click and run as administrator and still get this error?
  • 0

#49
Cdn_Red
Posted 02 August 2009 - 10:53 AM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi chamber,

Yes, it comes up when I right-click and select "Run as Administrator". The error doesn't come up when the progam first starts, it comes up when you click "Create Log".

Strange.
  • 0

#50
chamber
Posted 02 August 2009 - 01:00 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi Cdn_Red,

Is there any chance that you could transfer the ComboFix log to another computer and view it from there?

Working through another couple of ides here now.

Also,

Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Edited by chamber, 02 August 2009 - 02:46 PM.

  • 0

#51
Cdn_Red
Posted 02 August 2009 - 03:39 PM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi chamber,

I attempted to copy the file to a USB drive (can't believe I didn't think of it sooner) but it tells me the file can't be moved because it is in use by another programme. I had hoped it would work.
  • 0

#52
chamber
Posted 02 August 2009 - 05:08 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
ok,

I may have a way round that but for now can you try and run IceSword?

Hopefully will have a workaround tomorrow.

////EDIT

Have you tried right clicking on the file, selecting copy and then pasting it to a flash drive? Does that produce the same error?

Edited by chamber, 02 August 2009 - 05:12 PM.

  • 0

#53
Cdn_Red
Posted 02 August 2009 - 06:18 PM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi,

Yes, right-clicking to copy to the drive gives me the same error.

Where would I find IceSword?
  • 0

#54
chamber
Posted 02 August 2009 - 11:31 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi,

You can get it from my post here,

http://www.geekstogo...s...t&p=1598142
  • 0

#55
Cdn_Red
Posted 03 August 2009 - 06:43 AM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thanks, sorry - somehow I missed that post.

I will try and run it tonight.
  • 0

Advertisements

#56
chamber
Posted 03 August 2009 - 07:18 AM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
No problem.
  • 0

#57
chamber
Posted 03 August 2009 - 11:43 AM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi Cdn_Red.

OK,

Here is the plan. Windows will not allow us to view the file as it says that it is in use, potential solution? Don't use windows.

For the purposes of this we will be using a Linux distro called Ubuntu.

1) Download Ubuntu.

This can be downloaded from Here.

The current stable version is 9.04 - Jaunty Jackalope, select the Desktop version.

Select the mirror that you wish to use and start the download.

Save this file somewhere convenient such as your desktop.

2) Burn the ISO file to disc.

Burn the .ISO file to a cd using your cd burning program.

If you do not have one, you can use ISOBurner. Just install the programme, from there on in it is fairly automatic. Here are some Instructions

3) Logging into Ubuntu.

Make sure that your computer is set to boot from the CD.

Put the CD in the disc drive and then re-start your computer.

When Ubuntu loads, select the language you wish to use.

When you first boot from the Ubuntu disc you will be presented with this screen.

Posted Image

You will need to select "Try Ubuntu without any change to your computer"

When you log in you will be presented with the desktop which will look like below,

Posted Image

There will be a top bar and a bottom bar, the top bar contains what is essentially the start button and the bottom bar contains the recycle bin and the Desktop switcher.

4) Accessing the file that we need.

We will now need to access the file that windows would not let us.

The good thing about Ubuntu is that it will allow us to view the hard drive and access windows, and because we are not using the windows operating system the malware should in theory not be able to block us.

On the top task bar, you will see three menus

Posted Image

Select Places,

Navigate to your main hard drive, this may be called simply, OS

The file should be in the in the main folder and should be called ComboFix.txt

Copy this file or the contents of it to a USB stick and move it to another computer.

Once you have this you can log out of Ubuntu, it will give you instructions on when to remove the cd and to close the tray.

Post the contents of the ComboFix log into your next post.

Hopefully the ComboFix log will show us where to go next and will allow us to see what is blocking everything.
  • 0

#58
Cdn_Red
Posted 03 August 2009 - 06:41 PM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Unfortunately, IceSword won't work. I get a "Failed to initialize" error. Should this programme boot in safe mode?

Also, I am having difficulty booting from the Ubuntu disc. When I select "Try Ubuntu without any change to your computer", it just freezes completely and won't run past that point.

I tried burning a second copy, in case there was a problem with the first disc and still nothing.

Edited by Cdn_Red, 03 August 2009 - 07:53 PM.

  • 0

#59
chamber
Posted 04 August 2009 - 04:29 PM

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi Cdn_Red,

I need you to download the file that I sent you the PM link for.

  • Unzip it to your desktop to a folder named avz4
  • Double click on Kill.pif to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#60
Cdn_Red
Posted 04 August 2009 - 06:37 PM

Cdn_Red

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I got the message and ran the programme. Here are the two logfiles.

Attached File  virusinfo_syscure.zip   22.32KB   94 downloads
Attached File  virusinfo_syscheck.zip   19.55KB   83 downloads
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP