Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 43

Thread: can't get rid of hldrrr.exe, srosa.sys, wintems.exe

  1. #21
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    OK. The first one I uploaded was identified as already scanned. I had it rescanned nevertheless, and the result is:

    File 36015.exe received on 01.09.2008 19:58:54 (CET)Antivirus Version Last Update Result
    AhnLab-V3 2008.1.10.10 2008.01.09 Win-Trojan/Downloader.471556
    AntiVir 7.6.0.46 2008.01.09 WORM/Bagle.Gen
    Authentium 4.93.8 2008.01.09 -
    Avast 4.7.1098.0 2008.01.08 Win32:Beagle-YN
    AVG 7.5.0.516 2008.01.09 Generic9.ADGV
    BitDefender 7.2 2008.01.09 Win32.Bagle.STT@mm
    CAT-QuickHeal 9.00 2008.01.09 Win32.Backdoor.Rbot.bmr
    ClamAV 0.91.2 2008.01.09 PUA.Packed.Themida
    DrWeb 4.44.0.09170 2008.01.09 Win32.HLLM.Beagle
    eSafe 7.0.15.0 2008.01.08 Win32.Mitglieder
    eTrust-Vet 31.3.5444 2008.01.09 -
    Ewido 4.0 2008.01.09 -
    FileAdvisor 1 2008.01.09 -
    Fortinet 3.14.0.0 2008.01.09 W32/Bagle.HI!worm
    F-Prot 4.4.2.54 2008.01.09 -
    F-Secure 6.70.13030.0 2008.01.09 Trojan-Downloader.Win32.Bagle.ho
    Ikarus T3.1.1.20 2008.01.09 Virus.Win32.Beagle.YN
    Kaspersky 7.0.0.125 2008.01.09 Trojan-Downloader.Win32.Bagle.ho
    McAfee 5203 2008.01.09 Generic Downloader.ab
    Microsoft 1.3109 2008.01.09 TrojanProxy:Win32/Mitglieder.KT
    NOD32v2 2778 2008.01.09 Win32/Bagle.LF
    Norman 5.80.02 2008.01.09 SDBot.gen8
    Panda 9.0.0.4 2008.01.09 W32/Bagle.QP.worm
    Prevx1 V2 2008.01.09 Trojan.Mitglieder
    Rising 20.26.21.00 2008.01.09 -
    Sophos 4.24.0 2008.01.09 -
    Sunbelt 2.2.907.0 2008.01.09 VIPRE.Suspicious
    Symantec 10 2008.01.09 Trojan.Mitglieder
    TheHacker 6.2.9.184 2008.01.08 W32/Behav-Heuristic-064
    VBA32 3.12.2.5 2008.01.09 -
    VirusBuster 4.3.26:9 2008.01.09 -
    Webwasher-Gateway 6.6.2 2008.01.09 Worm.Bagle.Gen

    Additional information
    File size: 471556 bytes
    MD5: a14a5261685fad6735165b695175df15
    SHA1: ba7e102f32030b71164e132918a4c25b13e9a2e3
    PEiD: Themida/WinLicense V1.8.0.2 + -> Oreans Technologies
    packers: Themida
    Prevx info: http://info.prevx.com/aboutprogramte...2078001CB1110F
    Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

    I uploaded a few others from the folder. The ones with the wintems icon were all identified as malware. The ones without the icon were informed as clean. I have to say, though, that they were all downloaded together, they have all the same timestamps. I would get rid of all of them, what do you say?

    I guess I remove them with MoveIt?

    In the meantime I have checked services.msc and Windows Firewall is again in Automatic, and started!

    Should I now reinstall spybot and my antivirus, and run them? Which ones?

    Guillermo

  2. #22
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    No need to scan the rest, they are all bad as expected. They should have shown up in the ComboFix log.

    What is the time stamp for these files ?

    Do the following

    Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum.





    Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
    • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
    • Under Rootkit Search on the left change it to Yes
    • Under Additional Scans check the box beside Reg - Disabled MS Config Items.
    • Under Files Created Within change it to 90 days, do the same for Files Modified Within.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

    Make sure you attach the report in your reply. You will need to host this attachment on another site like mediafire as you can't upload here unfortunately.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  3. #23
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Quote Originally Posted by Rorschach112 View Post
    What is the time stamp for these files ?
    The 29 files now present are from today, from 14:04 to 14:11 local time, which was I believe, the last time that wintems.exe was seen running. Not sure though. Many more were downloaded before, and I deleted them several times (not to the recycler).

    I am proceeding with your last instructions now, in safe mode. See you later.

    Guillermo

  4. #24
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    I was reading the instructions before proceeding. I say, Rorschach, the WinPFind35U part should also be run in safe mode? Or do I reboot in normal mode for it? Just to be sure...

    Guillermo

  5. #25
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Run WinPFind35 from Normal Mode.

    It's always best to make sure
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  6. #26
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Thanks. That's what I thought. Here's SDFix report. I proceed with WinPFind35U (such a name!).


    SDFix: Version 1.125

    Run by Abramson on Wed 01/09/2008 at 05:45 PM

    Microsoft Windows XP [Versión 5.1.2600]

    Running From: c:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    No Trojan Files Found





    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-09 17:51:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...


    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 1


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    ---------------


    Files with Hidden Attributes:

    Thu 19 Aug 2004 60,416 A.SH. --- "C:\Archivos de programa\Outlook Express\msimn.exe"
    Thu 1 Nov 2007 5,903,928 A..H. --- "C:\Archivos de programa\Picasa2\setup.exe"
    Wed 3 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
    Wed 3 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3958dae49728da026def65195c3aa84\BIT32.tmp"

    Finished!

  7. #27
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Done with WinPFind35U also. I tried to attach the file here but it seems to be too large. I placed it on my webpage: WinPFind35.Txt

    But: something is weird with this file. Even though it is all there, down to the last line <End of Report>, I cannot open it correctly in the browser. You can still use "save target as" to heve it in full (perhaps non-ascii characters).

    I placed a zipped version, perhaps it gets transmitted better: WinPFind35.zip

    Guillermo

  8. #28
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    I can't believe it: the infection has reappeared. I presume after last reboot (the one between sdfix and winpfin35u).

    The exe and sys files are again there. IceSword again shows the bad processes and SSDT's... Firewall is deactivated...

    What went wrong?

    Guillermo

  9. #29
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    And 23 additional bad files were downloaded before I noticed and terminated the processes in IceSword.

    Guillermo

  10. #30
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    I need to leave now. Will continue tomorrow. Thanks for your help Rorschach112. See you tomorrow and we finish it.

    Guillermo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •