Jump to content

Recommended Posts

DDS.txt and Attach.txt attached

My system runs for about 10-20 min then essentially locks up (some items not responding and some responding very slowly) and the menu bar at the bottom of the screen would disappear or turn white. Another symptem was that when selecting start->run the list of previous commands was blank.

I am running F-Secure anti-virus. I have also ran full scans using Malwarebytes, SuperAntiSpyware, and ESET Online Scanner (http://www.eset.eu/eset-online-scanner) until they gave a cleam bill of health with no effect.

Looking at System Log in Event Viewer showed an Event ID 4226. Below it the informaion on the event ID from Microsoft.

==========================

Details

Product: Windows Operating System

ID: 4226

Source: Tcpip

Version: 5.2

Symbolic Name: EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED

Message: TCP/IP has reached the security limit imposed on the number of concurrent (incomplete) TCP connect attempts.

Explanation

The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged.

Establishing connection–rate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

Connection-rate limitations may cause certain security tools, such as port scanners, to run more slowly.

User Action

This event is a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows.

To close the program

1. At the command prompt, type

Netstat –no

2. Find the process with a large number of open connections that are not yet established.

These connections are indicated by the TCP state SYN_SENT in the State column of the Active Connections information.

3. Note the process identification number (PID) of the process in the PID column.

4. Press CTRL+ALT+DELETE and then click Task Manager.

5. On the Processes tab, select the processes with the matching PID, and then click End Process.

If you need to select the option to view the PID for processes, on the View menu, click Select Columns, select the PID (Process Identifier) check box, and then click OK.

--------------------------------------------------------------------------------

Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx.

==========================

I followed the instrucions above and a few minutes after booing I was able to identify a process that was acting as described above. The process was scvhost.exe. Using Process Explorer from www.sysinternals.com I was able to get additional information that the command line for the process was 'C:\WINDOWS\System32\svchost.exe -k netsvcs'. The offending svchost process will show an incrascing amount of memory usage.

I killed the process but within a few minutes a new version of 'C:\WINDOWS\System32\svchost.exe -k netsvcs' would start and start making connections. I did this several times but a new 'C:\WINDOWS\System32\svchost.exe -k netsvcs' would always start witing a few minutes.

An additional if I start the system in 'safe mode' it does not hang but 'safe mode with networking' has the same problem.

If I continually kill the offending svchost process the system appears to work fine however if I let it run of any length of time the process will consume more and more memory until the system locks up.

dds.txt

attach.txt

Link to post
Share on other sites

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

¤¤¤ Infection : Rogue.AntiSpy-AH|ZeroAccess ¤¤¤

[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

----------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

After reading your comments I will be reinstalling the OS. I do have one final question.

In the past I have reinstalled the OS without reformating. This allowed me to keep the data files. This would save me some time but if there is a chance it would not remove the virus I will go with the reformat & resinstall. In your opinion what is the risk or reinstalling the OS over the existing copy without reformating?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.