Done. Here's MoveIt report:
Sure. I posted a log before, but here's the screenshot: is-processes.jpg
The PC seems to be running normally.
Type: Posts; User: abramson; Keyword(s):
Done. Here's MoveIt report:
Sure. I posted a log before, but here's the screenshot: is-processes.jpg
The PC seems to be running normally.
I don't find any AVG option that allows to shut down the antivirus. I could kill it's processes, but there are probably several, even hidden (I say, to protect itself).
Here's DSS Main log. No...
Here are IceSword SSDT screen captures:
is-ssdt1.jpg
is-ssdt2.jpg
is-ssdt3.jpg
is-ssdt4.jpg
is-ssdt5.jpg
is-ssdt6.jpg
Here's an IceSword Win32Services log:
Started Service:
Service Name:ALG Display Name:Servicio de puerta de enlace de capa de aplicación
Service...
Here's an IceSword Processes log:
Process:
System Idle Process
System
C:\WINDOWS\RTHDCPL.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe...
Here's a HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:02 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00...
Hi. Unfortunately, AVG does not allow me to run WinPfind35U. Even if I tell it to "Ignore" the threat, then Windows give me a "can't access" error when I try to run the tool.
Guillermo
Hi, Rorschach112. Thanks for your post. I was just writting when it arrived. Before I proceed, let me tell you what happened yesterday, after my last post reporting the re-infection.
I re-applied...
I need to leave now. Will continue tomorrow. Thanks for your help Rorschach112. See you tomorrow and we finish it.
Guillermo
And 23 additional bad files were downloaded before I noticed and terminated the processes in IceSword.
Guillermo
I can't believe it: the infection has reappeared. I presume after last reboot (the one between sdfix and winpfin35u).
The exe and sys files are again there. IceSword again shows the bad processes...
Done with WinPFind35U also. I tried to attach the file here but it seems to be too large. I placed it on my webpage: WinPFind35.Txt
But: something is weird with this file. Even though it is all...
Thanks. That's what I thought. Here's SDFix report. I proceed with WinPFind35U (such a name!).
SDFix: Version 1.125
Run by Abramson on Wed 01/09/2008 at 05:45 PM
Microsoft Windows XP...
I was reading the instructions before proceeding. I say, Rorschach, the WinPFind35U part should also be run in safe mode? Or do I reboot in normal mode for it? Just to be sure...
Guillermo
The 29 files now present are from today, from 14:04 to 14:11 local time, which was I believe, the last time that wintems.exe was seen running. Not sure though. Many more were downloaded before, and I...
OK. The first one I uploaded was identified as already scanned. I had it rescanned nevertheless, and the result is:
I uploaded a few others from the folder. The ones with the wintems icon...
Done. ComboFix produced the log reported below.
AVZ: I couldn't update with any of the sources (2 of them), so I run the tool anyway (since the only selected was restore safeboot... did I mess it...
I checked again with IceSword after last post. No hldrrr.exe nor wintems.exe proceses, no srosa.sys items on SSDT list.
However, file hldrrr.exe is still in system32\drivers. Should I remove it...
OK, here's ComboFix log. (Byproduct: my default browser was reset to Internet Explorer (from Opera) and IE icon appeared on desktop.
):
ComboFix 08-01-09.2 - Abramson 2008-01-09 14:13:23.1 -...
OK, I did as said: terminated processes, deleted files in IS, tried to delete files in MoveIt. After pressing MoveIt! I received an error box saying:
And the Results pane of MoveIt reads:
...
Rorschach112, bad news: wintems.exe reappeared. I re-run IS after posting, and there it was, grrrr!:
Process:
System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de...
DSS Main.txt:
Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-09 13:13:33
Computer is in Normal Mode....
Hi. Partial success, as you will see. I did what you said (and deleted also the srosa.sy_). Wintems.exe is gone from the Processes, but hldrrr.exe is there as is srosa.sys in the SSDT list.
...
I have been browsing the folders that seem to contain the problematic files, and in c:\WINDOWS\system32\drivers\ I found srosa.sy_ created yesterday (01/08), last modified today, 108,928 bytes, same...
Hi, Rorschach112. Thanks. Here are the snapshots:
Processes:
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-processes.jpg
SSDT:
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg...
DSS did not open an "extra" report (it's not also in c:\Deckard\System Scanner\, where only main.txt is to be found (?).
Guillermo
DSS Main log follows. Guillermo.
Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-09 10:07:46
Computer is in Normal Mode....
Hi. Rorschach112. Thanks for the answer. I did as you suggested. Here are the results.
Processes in red: hldrrr.exe
Win32Services in red: none
SSDT in red: srosa.sys, iksysflt.sys, guard.sys...
Hi all!
My machine has got an infection with a rootkit, it seems, and I cannot get rid of it. I have followed instructions given by Rorschach112 in a similar thread, but the bad guys keep...