RetouchPRO

Go Back   RetouchPRO > Tools > Hardware
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Hardware Computers, displays, tablets, scanners, cameras, printers, etc.

Gary - I need your help please!

Reply
 
Thread Tools
  #11  
Old 02-06-2007, 09:12 AM
Cameraken's Avatar
Cameraken Cameraken is offline
Senior Member
 
Join Date: Feb 2005
Location: Lancashire (UK)
Posts: 1,158
Re: Gary - I need your help please!

Hi Syd

You do have some nasties in there.
I am still in training at the Malware University and not yet allowed to help you, but I would suggest you do nothing more until Gary replies or he will need a fresh HJT log.

I shall watch with interest as Gary fixes this.

Ken.
Reply With Quote top
  #12  
Old 02-06-2007, 09:26 AM
Syd Syd is offline
Senior Member
 
Join Date: Mar 2006
Posts: 275
Re: Gary - I need your help please!

Thanks Ken. I won't touch anything. I am too scared too! What I am doing right now is downloading the AVG Antivirus programme but I am not going to install it or uninstall Norton or anything like that. I am going to wait for Gary first. It is 11:15 at night over here so I will probably be going to bed in the next 45 mins or so and, therefore, might not receive any advice you or anyone else might give until tomorrow morning.

Sincerely Syd
Reply With Quote top
  #13  
Old 02-07-2007, 09:20 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Gary - I need your help please!

Hi Syd,

Sorry I'm a bit late getting to this, had a few problems lately that needed dealing with, so just got on line.

Before we get started I've a couple of questions.

1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).

2. How is Synnex concerned with your PC.

I see some Oriental Translation programmes running on your computer, so I'm guessing the first is legit, but I'll wait your answers.

You're using your D:\ drive as your default drive, so my auto systems weren't able to be used and I had to research your log manually, so that added a little time.

OK, had a look through your log, and it's mostly clean, however there's an item showing that I'm interested in.

I'd like you to check a file(s) for Viruses.
Quote:
D:\WINDOWS\system32\conime.exe
  • Click on the Browse button at the top of the screen.
  • Browse to the file.
  • Click OK.
  • Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Post me the details please.

It's quite possible you have Rootkitted processes running on your computer, so I'd like you to run some scans for me.

Download GMER and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site
  • Disconnect from the Internet, and close all running programmes.
  • There is a small chance this programme may crash your computer, so save any work you have open.
  • Open the GMER folder, and double click gmer.exe
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
  • If no warning:
    • Click Rootkit tab.
    • Ensure that All the boxes to the right of the program are checked except Show All.
    • Click Scan.
  • Once scan is finished click Copy.
    • Click Start > Run then type Notepad.exe then click OK.
    • This will open a Notepad file.
    • Hit Ctrl+V to paste log into it.
    • Save the log to your Desktop.
  • Reconnect to internet and post the log please.

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post please, along with the GMER log, and the details from Jotti/Virus Total.

Post each log separately, so we don't exceed the post size limiter here.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Last edited by Gary Richardson; 02-07-2007 at 09:26 AM.
Reply With Quote top
  #14  
Old 02-07-2007, 10:13 AM
Syd Syd is offline
Senior Member
 
Join Date: Mar 2006
Posts: 275
Re: Gary - I need your help please!

Gary, firstly thank you so much for responding in such a detailed way. You're a star!

Before we get started I've a couple of questions.

1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).

2. How is Synnex concerned with your PC.


In response to 1 - Yes, Hinet is our ISP and Chungwa is the local Telecom company.

Gary I am not sure what Synnex is. It sounds like something to do with Norton...or is that Symantec?

Ok, the rest I will get onto right away. I am not sure how much I will be able to finish tonight (it is already after 12) but hopefully I should have everything posted by tomorrow afternoon.

Thanks again for your willingness to help Gary.
Sincerely Syd
Reply With Quote top
  #15  
Old 02-07-2007, 10:32 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Gary - I need your help please!

Synnex is the website that this entry on your computer connects to.

O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/

It is what IE uses when it resets to default conditions, usually it is set by the computer manufacturer or machine administrator, but it can be used by an attacker for malicious purposes.

In this case Synnex appears to be the retailer for your computer, (didn't find this info 1st time round), so the entry is likely to be legit. Just like to confirm things like this with the owner of the log I'm looking at.

Always happy to help where I can, I'm monitoring this thread, so I'll be notified when you next post.
Reply With Quote top
  #16  
Old 02-07-2007, 10:35 AM
Syd Syd is offline
Senior Member
 
Join Date: Mar 2006
Posts: 275
Re: Gary - I need your help please!

Ok Gary here is the first of your requests. Sorry I didn't know how to post the log except by hitting print sceen and taking it into photoshop.

I have already downloaded gmer (sounds a bit like Khmer Rouge - lol) and will set about scanning immediately. If it takes a long time I will likely only post the results in the morning.

Thanks Gary
Syd
Attached Images
File Type: jpg Virus-Total.jpg (95.8 KB, 18 views)
Reply With Quote top
  #17  
Old 02-07-2007, 03:27 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Gary - I need your help please!

GMER is a Rootkit scanner, its name come from its creator, a Polish programmer Przemyslaw Gmerek, it's one of the best.

Screen print of the Virus Total page is fine.

OK, looks like the conime.exe file is the legit windows file, had to check as there is a Remote access programme BFGhost which uses a file of the same name, as far as I know in the same location (information I found wasn't too specific on this point).
Reply With Quote top
  #18  
Old 02-07-2007, 04:03 PM
BillFrey BillFrey is offline
Senior Member
 
Join Date: Feb 2006
Posts: 209
Re: Gary - I need your help please!

I was curious and googled and found this info that might apply.

Quote:
I would also like to add that not every version of conime.exe is a trojan! conime.exe is also installed along with windows xp in the C:\WINDOWS\system32 folder, I also have this file and it turns out it's the ''Microsoft Console IME (Input Method Editor)''. It executes whenever a command prompt is opened, so it seems that it's used for Asian language input support in the command prompt.
Reply With Quote top
  #19  
Old 02-07-2007, 04:32 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Gary - I need your help please!

Thanks Bill, I was aware of the legit Windows file, but where there is any doubt that it may have been replaced with a malicious file I always like to check by having the file scanned as Syd did.
Reply With Quote top
  #20  
Old 02-07-2007, 10:28 PM
Syd Syd is offline
Senior Member
 
Join Date: Mar 2006
Posts: 275
Re: Gary - I need your help please!

Ok Gary here is the GMER report:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-08 01:08:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 8119FC20 ZwConnectPort
SSDT \??\D:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT FFA458C0 ZwOpenThread

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [EFA00510] vsdatant.sys

---- EOF - GMER 1.0.12 ----

Thanks for your help Gary. I am doing the Kaspersky scan right now but it looks like it is going to take ages and it has slowed my computer down to a snail's pace. I will post the results later. Thanks Syd
Reply With Quote top
Reply

  RetouchPRO > Tools > Hardware


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Gary - anybody - help please? 1STLITE Hardware 78 02-25-2007 03:08 AM
Help needed with 1974 wedding photo bkpoltis Image Help 27 11-23-2005 01:23 PM
I picked a tough one..... Seawrenity Image Help 5 12-06-2004 03:21 PM
Hey Gary BigAl Salon 2 09-06-2002 11:16 AM


All times are GMT -6. The time now is 07:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved