Search:

Type: Posts; User: abramson; Keyword(s):

Search: Search took 0.01 seconds.

  1. Done. Here's MoveIt report: Sure. I...

    Done. Here's MoveIt report:





    Sure. I posted a log before, but here's the screenshot: is-processes.jpg

    The PC seems to be running normally.
  2. I don't find any AVG option that allows to shut...

    I don't find any AVG option that allows to shut down the antivirus. I could kill it's processes, but there are probably several, even hidden (I say, to protect itself).

    Here's DSS Main log. No...
  3. Here are IceSword SSDT screen captures: ...

    Here are IceSword SSDT screen captures:

    is-ssdt1.jpg
    is-ssdt2.jpg
    is-ssdt3.jpg
    is-ssdt4.jpg
    is-ssdt5.jpg
    is-ssdt6.jpg
  4. Here's an IceSword Win32Services log: Started...

    Here's an IceSword Win32Services log:

    Started Service:

    Service Name:ALG Display Name:Servicio de puerta de enlace de capa de aplicación
    Service...
  5. Here's an IceSword Processes log: Process: ...

    Here's an IceSword Processes log:

    Process:

    System Idle Process
    System
    C:\WINDOWS\RTHDCPL.exe
    C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe...
  6. Here's a HijackThis log: Logfile of Trend...

    Here's a HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:16:02 PM, on 1/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00...
  7. Hi. Unfortunately, AVG does not allow me to run...

    Hi. Unfortunately, AVG does not allow me to run WinPfind35U. Even if I tell it to "Ignore" the threat, then Windows give me a "can't access" error when I try to run the tool.

    Guillermo
  8. Hi, Rorschach112. Thanks for your post. I was...

    Hi, Rorschach112. Thanks for your post. I was just writting when it arrived. Before I proceed, let me tell you what happened yesterday, after my last post reporting the re-infection.

    I re-applied...
  9. I need to leave now. Will continue tomorrow....

    I need to leave now. Will continue tomorrow. Thanks for your help Rorschach112. See you tomorrow and we finish it.

    Guillermo
  10. And 23 additional bad files were downloaded...

    And 23 additional bad files were downloaded before I noticed and terminated the processes in IceSword.

    Guillermo
  11. I can't believe it: the infection has reappeared....

    I can't believe it: the infection has reappeared. I presume after last reboot (the one between sdfix and winpfin35u).

    The exe and sys files are again there. IceSword again shows the bad processes...
  12. Done with WinPFind35U also. I tried to attach the...

    Done with WinPFind35U also. I tried to attach the file here but it seems to be too large. I placed it on my webpage: WinPFind35.Txt

    But: something is weird with this file. Even though it is all...
  13. Thanks. That's what I thought. Here's SDFix...

    Thanks. That's what I thought. Here's SDFix report. I proceed with WinPFind35U (such a name!).


    SDFix: Version 1.125

    Run by Abramson on Wed 01/09/2008 at 05:45 PM

    Microsoft Windows XP...
  14. I was reading the instructions before proceeding....

    I was reading the instructions before proceeding. I say, Rorschach, the WinPFind35U part should also be run in safe mode? Or do I reboot in normal mode for it? Just to be sure...

    Guillermo
  15. The 29 files now present are from today, from...

    The 29 files now present are from today, from 14:04 to 14:11 local time, which was I believe, the last time that wintems.exe was seen running. Not sure though. Many more were downloaded before, and I...
  16. OK. The first one I uploaded was identified as...

    OK. The first one I uploaded was identified as already scanned. I had it rescanned nevertheless, and the result is:




    I uploaded a few others from the folder. The ones with the wintems icon...
  17. Done. ComboFix produced the log reported below. ...

    Done. ComboFix produced the log reported below.

    AVZ: I couldn't update with any of the sources (2 of them), so I run the tool anyway (since the only selected was restore safeboot... did I mess it...
  18. I checked again with IceSword after last post. No...

    I checked again with IceSword after last post. No hldrrr.exe nor wintems.exe proceses, no srosa.sys items on SSDT list.

    However, file hldrrr.exe is still in system32\drivers. Should I remove it...
  19. OK, here's ComboFix log. (Byproduct: my default...

    OK, here's ComboFix log. (Byproduct: my default browser was reset to Internet Explorer (from Opera) and IE icon appeared on desktop.

    ):

    ComboFix 08-01-09.2 - Abramson 2008-01-09 14:13:23.1 -...
  20. OK, I did as said: terminated processes, deleted...

    OK, I did as said: terminated processes, deleted files in IS, tried to delete files in MoveIt. After pressing MoveIt! I received an error box saying:



    And the Results pane of MoveIt reads:

    ...
  21. Rorschach112, bad news: wintems.exe reappeared. I...

    Rorschach112, bad news: wintems.exe reappeared. I re-run IS after posting, and there it was, grrrr!:

    Process:

    System Idle Process
    System
    C:\ARCHIV~1\Util\CBOClean\BOCore.exe
    C:\Archivos de...
  22. DSS Main.txt: Deckard's System Scanner...

    DSS Main.txt:

    Deckard's System Scanner v20071014.68
    Run by Abramson on 2008-01-09 13:13:33
    Computer is in Normal Mode....
  23. Hi. Partial success, as you will see. I did what...

    Hi. Partial success, as you will see. I did what you said (and deleted also the srosa.sy_). Wintems.exe is gone from the Processes, but hldrrr.exe is there as is srosa.sys in the SSDT list.
    ...
  24. I have been browsing the folders that seem to...

    I have been browsing the folders that seem to contain the problematic files, and in c:\WINDOWS\system32\drivers\ I found srosa.sy_ created yesterday (01/08), last modified today, 108,928 bytes, same...
  25. Hi, Rorschach112. Thanks. Here are the snapshots:...

    Hi, Rorschach112. Thanks. Here are the snapshots:

    Processes:
    http://cabfst28.cnea.gov.ar/~abramson/fotos/is-processes.jpg

    SSDT:
    http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg...
  26. DSS did not open an "extra" report (it's not also...

    DSS did not open an "extra" report (it's not also in c:\Deckard\System Scanner\, where only main.txt is to be found (?).

    Guillermo
  27. DSS Main log follows. Guillermo. Deckard's...

    DSS Main log follows. Guillermo.

    Deckard's System Scanner v20071014.68
    Run by Abramson on 2008-01-09 10:07:46
    Computer is in Normal Mode....
  28. Hi. Rorschach112. Thanks for the answer. I did as...

    Hi. Rorschach112. Thanks for the answer. I did as you suggested. Here are the results.

    Processes in red: hldrrr.exe
    Win32Services in red: none
    SSDT in red: srosa.sys, iksysflt.sys, guard.sys...
  29. can't get rid of hldrrr.exe, srosa.sys, wintems.exe

    Hi all!

    My machine has got an infection with a rootkit, it seems, and I cannot get rid of it. I have followed instructions given by Rorschach112 in a similar thread, but the bad guys keep...
Results 1 to 29 of 29