Ron
VBS/Autorun.worm.zo, Yuyun_Cantix and no connectivity.
Started by
Greki
, Mar 28 2010 04:36 PM
#46
Posted 31 March 2010 - 04:30 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Ron
#47
Posted 31 March 2010 - 05:36 PM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
I'm still restoring the shortcuts, but I forgot to mention:
The used-to-be Yuyun_Cantix icon on desktop is still there, but as an unidentified file. Do I just delete it?
The used-to-be Yuyun_Cantix icon on desktop is still there, but as an unidentified file. Do I just delete it?
#49
Posted 02 April 2010 - 12:47 AM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
Lol, I can't believe just how many things we've got in the Start Menu, geez... and I still haven't finished...
Anyway, I think it's finally been disinfected from the VBS viruses.
There are several other points though:
Anyway, I think it's finally been disinfected from the VBS viruses.
There are several other points though:
1) The first time I did maintenance to it, she had one of those "ha ha ha photo - link" virus/bot (whatever it was) in her MSN and in her mail auto-response for that matter too. Did you see any other infections which we should remove? In that same manner, the first time I ran AVG it caught a Trojan.Backdoor and a Trojan.Loader, do you think they are still there?
2) The camera works again, but it's got this perpetual noctural view... I mean, it doesn't catch any color. Is that due to the software that comes with the netbook, or is there a problem with the camera?
3) Do I delete george, OTL and whatnot, and also uninstall the Recovery Console?
4) Do I turn on the antivirus protection? And for that matter, should I run one last scan of everything?
5 - IMPORTANT) I disinfected the external drive at the same time than the netbook, however, she's got an external camera, and... well, she's bound to plug in the camera memory, which had been infected too. Will Autorun Eater prevent the netbook from being infected again? What should I do to disinfect it? (Gotta add, as well, Autoplay on all drives is off.)
#50
Posted 02 April 2010 - 01:10 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Sorry about the .lnk problem. I should have warned you that not all were bad.
It would be nice if you could get connected to the internet and let Combofix and MBAM update before running again. If you click on the wireless icon in the systray does it show that it detects your local wireless network? If you select it and try to connect what happens?
It's probably a software issue with the camera. If you can find a new driver for it you might try upgrading it or if you can find the software, uninstall it and reinstall it.
I'd leave the recovery console in any case. It only adds 2 seconds to the boot time and it can really be useful if you get a nasty infection. When you are ready to uninstall Combofix, copy the next line:
"%userprofile%\Desktop\george.exe" /Uninstall
then Start, Run, cmd, OK then right click and Paste. then hit Enter.
One last scan would be nice.
Autorun will keep the camera from reinfecting the PC. Be nice if she could run Flash_Disinfector.exe and put the camera memory in the PC so it could get immunized.
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f
I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html
but you would need to get it on line.
I'm not real fond of
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
and
"IObit Security 360_is1" = IObit Security 360
Would be best to uninstall them.
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html
It's a small program that will sit in your systray and warn you if something tries to make changes to your system.
If your current antivirus is not a paid up subscription you should dump it and install the free Avast
http://www.avast.com...avast-home.html
Ron
It would be nice if you could get connected to the internet and let Combofix and MBAM update before running again. If you click on the wireless icon in the systray does it show that it detects your local wireless network? If you select it and try to connect what happens?
It's probably a software issue with the camera. If you can find a new driver for it you might try upgrading it or if you can find the software, uninstall it and reinstall it.
I'd leave the recovery console in any case. It only adds 2 seconds to the boot time and it can really be useful if you get a nasty infection. When you are ready to uninstall Combofix, copy the next line:
"%userprofile%\Desktop\george.exe" /Uninstall
then Start, Run, cmd, OK then right click and Paste. then hit Enter.
One last scan would be nice.
Autorun will keep the camera from reinfecting the PC. Be nice if she could run Flash_Disinfector.exe and put the camera memory in the PC so it could get immunized.
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f
I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html
but you would need to get it on line.
I'm not real fond of
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
and
"IObit Security 360_is1" = IObit Security 360
Would be best to uninstall them.
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html
It's a small program that will sit in your systray and warn you if something tries to make changes to your system.
If your current antivirus is not a paid up subscription you should dump it and install the free Avast
http://www.avast.com...avast-home.html
Ron
#51
Posted 02 April 2010 - 02:01 AM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
Lol, the good .lnk files are a small price in comparison to the infection. Don't worry about that.
Anyway, it does detect the network, but it keeps on saying "Limited or no connectivity" even though it's got four bars.
I tried detecting the connection again, but, it doesn't even get the IP (not valid), nor does "repair" work. It says that something's blocking it.
Btw, I tried what you said about Adobe. I'm afraid, though that I got it in Spanish (and I need to first look at it in my own PC before moving anything on her French laptop). The option you mentioned is under JavaScript, or JavaScript security?
I'll try to see a way to connect it. If I can't, though, do you think I could update MBAM and Combofix manually? Ohhh, got a way to manuually update MBAM, but... I still need to see a manual Combofix update.
Oh, and the only reason I don't have Avast installed it's because its... noisy. Is there a way to make it less noisy when it detects something?
Anyway, it does detect the network, but it keeps on saying "Limited or no connectivity" even though it's got four bars.
I tried detecting the connection again, but, it doesn't even get the IP (not valid), nor does "repair" work. It says that something's blocking it.
Btw, I tried what you said about Adobe. I'm afraid, though that I got it in Spanish (and I need to first look at it in my own PC before moving anything on her French laptop). The option you mentioned is under JavaScript, or JavaScript security?
I'll try to see a way to connect it. If I can't, though, do you think I could update MBAM and Combofix manually? Ohhh, got a way to manuually update MBAM, but... I still need to see a manual Combofix update.
Oh, and the only reason I don't have Avast installed it's because its... noisy. Is there a way to make it less noisy when it detects something?
Edited by Greki, 02 April 2010 - 02:26 AM.
#52
Posted 02 April 2010 - 09:33 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Limited or no Connectivity means it did not get an IP address from the router using DHCP. There is a DHCP Client service which must be running. Also some PC use a program from the router maker to control the wireless and this may not work with a different brand of router but almost all can be controlled by Windows using the Wireless Zero Configuration service (in Vista it's call WLAN AutoConfig).
To see if they are running, open a cmd window and:
net start
(This will give you a list of services. Look for DHCP Client and Wireless Zero Configuration. If they are not running type: )
services.msc
(This should open the services window. Find each service (DHCP Client and Wireless Zero Configuration) and right click and select Properties then change the Startup Type: to Automatic and Start the service. If it won't start write down the error message you get. Close the services window. If both services are running try turning off the firewall. It is possible for the firewall to block the DHCP traffic.)
(Disconnect the wireless or turn it off. Reconnect or turn it on and go back to cmd)
ipconfig
(Look at your ip address. Compare it to the one on the good PC - run ipconfig on the good one. The IP address is usually 192.168.0 or 1.x where x is a number between 1 and 254 and should be different from your PC. If yours has 1 as the third number then the sick one needs 1 too. The first three have to match. It's possible to bypass DHCP and assign an address manually:
1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."
4. Fill in the blanks with the same info from the good PC but change the last number to one more: i.e. if yours is 192.168.0.100 then make this one 192.168.0.101. Don't forget to fill in the mask, default router and dns address - you will need to run ipconfig /all to see the dns address on your good PC. You will have to put the IP address back to Obtain Automatically before you give it back )
There is a way to shut up Avast so it doesn't talk. If you have 5.0 then double click on the Orange Ball and select Settings then Sounds and uncheck the Enable Avast Sounds.
Got to run.
Ron
To see if they are running, open a cmd window and:
net start
(This will give you a list of services. Look for DHCP Client and Wireless Zero Configuration. If they are not running type: )
services.msc
(This should open the services window. Find each service (DHCP Client and Wireless Zero Configuration) and right click and select Properties then change the Startup Type: to Automatic and Start the service. If it won't start write down the error message you get. Close the services window. If both services are running try turning off the firewall. It is possible for the firewall to block the DHCP traffic.)
(Disconnect the wireless or turn it off. Reconnect or turn it on and go back to cmd)
ipconfig
(Look at your ip address. Compare it to the one on the good PC - run ipconfig on the good one. The IP address is usually 192.168.0 or 1.x where x is a number between 1 and 254 and should be different from your PC. If yours has 1 as the third number then the sick one needs 1 too. The first three have to match. It's possible to bypass DHCP and assign an address manually:
1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."
4. Fill in the blanks with the same info from the good PC but change the last number to one more: i.e. if yours is 192.168.0.100 then make this one 192.168.0.101. Don't forget to fill in the mask, default router and dns address - you will need to run ipconfig /all to see the dns address on your good PC. You will have to put the IP address back to Obtain Automatically before you give it back )
There is a way to shut up Avast so it doesn't talk. If you have 5.0 then double click on the Orange Ball and select Settings then Sounds and uncheck the Enable Avast Sounds.
Got to run.
Ron
Edited by RKinner, 02 April 2010 - 09:42 AM.
#53
Posted 02 April 2010 - 02:00 PM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
Well, that process certainly worked.
It's connected.
But there's a... slight problem.
No matter which browser I use, pages won't load.
Btw, what should I put in the auxiliary DNS (or something like that) box?
It's connected.
But there's a... slight problem.
No matter which browser I use, pages won't load.
Btw, what should I put in the auxiliary DNS (or something like that) box?
#54
Posted 02 April 2010 - 02:24 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
You can try 199.166.28.10 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes or use the same as your PC.
To test the DNS you open a cmd window and type:
nslookup google.com
These are the addresses I get:
Addresses: 74.125.53.99
74.125.53.103
74.125.53.104
74.125.53.105
74.125.53.106
74.125.53.147
Take one of them and put it in the browser where you would normally type in google.com
Does it work?
Open your hosts file:
C:\WINDOWS\system32\drivers\etc\hosts in notepad and
delete everything below
127.0.0.1 localhost
Then save and exit.
go back to cmd and
ipconfig /flushdns
any better now?
Ron
To test the DNS you open a cmd window and type:
nslookup google.com
These are the addresses I get:
Addresses: 74.125.53.99
74.125.53.103
74.125.53.104
74.125.53.105
74.125.53.106
74.125.53.147
Take one of them and put it in the browser where you would normally type in google.com
Does it work?
Open your hosts file:
C:\WINDOWS\system32\drivers\etc\hosts in notepad and
delete everything below
127.0.0.1 localhost
Then save and exit.
go back to cmd and
ipconfig /flushdns
any better now?
Ron
#55
Posted 02 April 2010 - 03:34 PM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
After placing the Preferred DNS and typing nslookup google.com in cmd, it says: DNS request timed out.
When I try one of the addresses you gave me, it says "Adress not valid".
And when I try to modify hosts, it doesn't let me save. It actually saved as a separate .txt file.
When I try one of the addresses you gave me, it says "Adress not valid".
And when I try to modify hosts, it doesn't let me save. It actually saved as a separate .txt file.
#56
Posted 02 April 2010 - 06:00 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Sorry for the delay but we had a big storm and the power was out for a few hours. Hopefully it will stay on.
If nslookup is not working then you do not have internet connectivity.
If you open cmd and just type:
ipconfig
it should tell you if it thinks it has connectivity. then you can
ping defaultgateway
where defaultgateway is what it says in ipconfig. Probably 192.168.0.1 or 192.168.1.1.
You should get 4 replies if it is working. If it is working then try:
tracert -d 4.2.2.1
This will show you how it tries to get to the second dns. It may not finish but may time out after 30 hops. If it gets to the internet (something without a 192.168. address then that is not the problem.)
Some cable companies will not let you have more than one PC on their circuit. That may be what we are running into tho normally with a wireless that is not a problem.
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:Commands
[RESETHOSTS]
[emptytemp]
[Reboot]
*******************************************************************
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. This should automatically clean up the hosts file.
Ron
If nslookup is not working then you do not have internet connectivity.
If you open cmd and just type:
ipconfig
it should tell you if it thinks it has connectivity. then you can
ping defaultgateway
where defaultgateway is what it says in ipconfig. Probably 192.168.0.1 or 192.168.1.1.
You should get 4 replies if it is working. If it is working then try:
tracert -d 4.2.2.1
This will show you how it tries to get to the second dns. It may not finish but may time out after 30 hops. If it gets to the internet (something without a 192.168. address then that is not the problem.)
Some cable companies will not let you have more than one PC on their circuit. That may be what we are running into tho normally with a wireless that is not a problem.
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:Commands
[RESETHOSTS]
[emptytemp]
[Reboot]
*******************************************************************
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. This should automatically clean up the hosts file.
Ron
Edited by RKinner, 02 April 2010 - 06:00 PM.
#57
Posted 02 April 2010 - 07:17 PM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
When I type in ipconfig the only thing that appears in blank is the DNS suffix.
I didn't quite understand what you wanted me to do with "ping defaultgetaway" cause when I typed in "ping" there appeared a list of commands, nothing of that resembled defaultgetaway.
I still tried tracert and, on the first 25 it reached timeout. At the 26th it said something about an error. But then it said route determined.
It still won't log in though.
And I doubt it's the company. We've had several different laptops connected here at the same time than all PCs (three in total). Heck, even my own Nintendo DS manages to connect just fine.
Anyway, OTL ran fine.
I didn't quite understand what you wanted me to do with "ping defaultgetaway" cause when I typed in "ping" there appeared a list of commands, nothing of that resembled defaultgetaway.
I still tried tracert and, on the first 25 it reached timeout. At the 26th it said something about an error. But then it said route determined.
It still won't log in though.
And I doubt it's the company. We've had several different laptops connected here at the same time than all PCs (three in total). Heck, even my own Nintendo DS manages to connect just fine.
Anyway, OTL ran fine.
Edited by Greki, 02 April 2010 - 07:30 PM.
#58
Posted 02 April 2010 - 07:20 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Didn't work then.
How do you connect to the internet? DSL or cable or ?
Have you ever had a second computer connected to your wireless at this location?
Ron
How do you connect to the internet? DSL or cable or ?
Have you ever had a second computer connected to your wireless at this location?
Ron
#59
Posted 02 April 2010 - 07:41 PM
Greki
- Topic Starter
-
- Member
-
- 78 posts
Member
I connect this desktop via Ethernet. I connect my DS from this same spot via Wi-Fi. I tried connecting the laptop from where the signal is at its strongest, but it didn't work.
And yep, we've had many laptops connecting here just fine. I don't understand why this one didn't work.
Sooo, do I try to find a way to update Combofix manually? (Btw, will all these changes affect her connection at her house?)
And yep, we've had many laptops connecting here just fine. I don't understand why this one didn't work.
Sooo, do I try to find a way to update Combofix manually? (Btw, will all these changes affect her connection at her house?)
#60
Posted 02 April 2010 - 07:53 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
You will want to put it back to Automatic before you give it to her.
IF there are many PCs on this network we might have chosen an IP address that is already in use. I just thought this was a home network. You may need to try a different one.
Is there a firewall involved? Don't use AVG9 so not familiar with what it does.
Ron
IF there are many PCs on this network we might have chosen an IP address that is already in use. I just thought this was a home network. You may need to try a different one.
Is there a firewall involved? Don't use AVG9 so not familiar with what it does.
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
