Page 1 of 5 12345 LastLast
Results 1 to 10 of 43

Thread: can't get rid of hldrrr.exe, srosa.sys, wintems.exe

  1. #1
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default can't get rid of hldrrr.exe, srosa.sys, wintems.exe

    Hi all!

    My machine has got an infection with a rootkit, it seems, and I cannot get rid of it. I have followed instructions given by Rorschach112 in a similar thread, but the bad guys keep reappearing. Any help will be appreciated. Thanks in advance.

    All my antivirus have been removed or deactivated, and cannot be reinstalled. This includes Spybot, AVG, Avast, SpywareDoctor. AVG Anti-Rootkit runs, and detects hldrrr.exe, srosa.sys and wintems.exe. It offers to remove them, but it does not work.

    I have tried IceSword, which detects the processes hldrrr.exe and wintems.exe running. I terminated them, and removed the files, but they reappear on reboot. I tried deleting them with MoveOnBoot, to no avail.

    Besides the mentioned files, a foder was created on system32\drivers\down, containing .exe files, with numbers as filenames. Some one of them is also detected by IceSword as a running process, and I also terminated those (and deleted the folder).

    IceSword also detects srosa.sys in several entries in its SSDT list, in red, and also iksysflt.sys (which I believe belongs to SpywareDoctor).

    It seems that the infection is hidden somewhere in my system, but I cannot find out where.

    Other symptoms include:
    1. Cannot boot on safe mode. Tried SafeBootKeyRepair.exe, which allows me to boot on safe, but after the following normal boot it's broken again.
    2. Windows Firewall does not run.
    3. System restores do not work.


    HijackThis gives the following log:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:14:38 PM, on 1/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Util\CBOClean\BOCORE.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\ARCHIV~1\Util\CBOClean\BOC425.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Util\File-Ex 3\FileEx.exe
    C:\Archivos de programa\MSN Messenger\usnsvc.exe
    C:\archivos de programa\net\opera\opera.exe
    C:\Archivos de programa\Texts\WinEdt\WinEdt.exe
    C:\Archivos de programa\Net\Thunderbird\thunderbird.exe
    C:\Archivos de programa\Util\HijackThis\HijackThis.exe
    
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BOC-425] C:\ARCHIV~1\Util\CBOClean\BOC425.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
    O4 - HKCU\..\Run: [TopDesk] C:\Archivos de programa\Util\TopDesk\topdesk.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: File-Ex.lnk = C:\Archivos de programa\Util\File-Ex 3\FileEx.exe
    O4 - Startup: Rainlendar.lnk = C:\Archivos de programa\Util\Rainlendar\Rainlendar.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Archivos de programa\Util\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Acceso directo a YzShadow.exe.lnk = C:\Archivos de programa\Util\YzShadow\YzShadow.exe
    O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191420182250
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)
    
    --
    End of file - 10030 bytes
    Regards,

    Guillermo

  2. #2
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Hello

    Delete your version of IceSword.exe and do the following

    Do not wrap the reports in quote boxes please

    Please download and unzip Icesword to its own folder


    If you get a lot of "red entries" in an IceSword log, don't panic.

    Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

    Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

    Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

    Now post all of the data collected under the headings

    Processes
    Win32 Services
    SSDT





    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    • Close all other windows before proceeding.
    • Double-click on dss.exe and follow the prompts.
    • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
    • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  3. #3
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Hi. Rorschach112. Thanks for the answer. I did as you suggested. Here are the results.

    Processes in red: hldrrr.exe
    Win32Services in red: none
    SSDT in red: srosa.sys, iksysflt.sys, guard.sys (AVG)

    IceSword logs follow. IceSword did not allow me to dump a log of the list of SSDT, or copy the list in any other way (?).

    DSS logs go in a separate post due to length restriction.

    Cheers,

    Guillermo

    Process:

    System Idle Process
    System
    C:\ARCHIV~1\Util\CBOClean\BOCore.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
    C:\WINDOWS\system32\smss.exe
    C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\Archivos de programa\Util\CBOClean\BOC425.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe
    C:\Archivos de programa\Util\IceSword\IceSword.exe

    Started Service:

    Service Name:AudioSrv Display Name:Audio de Windows
    Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
    Service Name:BOCore Display Name:BOCore
    Service Name:Browser Display Name:Examinador de equipos
    Service Name:CryptSvc Display Name:Servicios de cifrado
    Service Name:DcomLaunch Display Name:Iniciador de procesos de servidor DCOM
    Service Name:Dhcp Display Name:Cliente DHCP
    Service Name:dmserver Display Name:Administrador de discos lógicos
    Service Name:Dnscache Display Name:Cliente DNS
    Service Name:ERSvc Display Name:Servicio de informe de errores
    Service Name:Eventlog Display Name:Registro de sucesos
    Service Name:EventSystem Display Name:Sistema de sucesos COM+
    Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
    Service Name:FileZilla Server Display Name:FileZilla Server FTP server
    Service Name:gusvc Display Name:Google Updater Service
    Service Name:helpsvc Display Name:Ayuda y soporte técnico
    Service Name:lanmanserver Display Name:Servidor
    Service Name:lanmanworkstation Display Name:Estación de trabajo
    Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
    Service Name:Netman Display Name:Conexiones de red
    Service Name:NVSvc Display Name:NVIDIA Display Driver Service
    Service Name:PlugPlay Display Name:Plug and Play
    Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
    Service Name:PolicyAgent Display Name:Servicios IPSEC
    Service Name:ProtectedStorage Display Name:Almacenamiento protegido
    Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
    Service Name:RemoteRegistry Display Name:Registro remoto
    Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
    Service Name:SamSs Display Name:Administrador de cuentas de seguridad
    Service Name:Schedule Display Name:Programador de tareas
    Service Name:seclogon Display Name:Inicio de sesión secundario
    Service Name:SENS Display Name:Notificación de sucesos del sistema
    Service Name:ShellHWDetection Display Name:Detección de hardware shell
    Service Name:Spooler Display Name:Cola de impresión
    Service Name:srservice Display Name:Servicio de restauración de sistema
    Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
    Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
    Service Name:TapiSrv Display Name:Telefonía
    Service Name:TermService Display Name:Servicios de Terminal Server
    Service Name:Themes Display Name:Temas
    Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
    Service Name:W32Time Display Name:Horario de Windows
    Service Name:WebClient Display Name:Cliente Web
    Service Name:winmgmt Display Name:Instrumental de administración de Windows

  4. #4
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    DSS Main log follows. Guillermo.

    Deckard's System Scanner v20071014.68
    Run by Abramson on 2008-01-09 10:07:46
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as Abramson.exe) --------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:07:47 AM, on 1/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Util\CBOClean\BOCORE.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\MSN Messenger\usnsvc.exe
    C:\Documents and Settings\Abramson\Escritorio\dss.exe
    C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BOC-425] C:\ARCHIV~1\Util\CBOClean\BOC425.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191420182250
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

    --
    End of file - 9381 bytes

    -- Files created between 2007-12-09 and 2008-01-09 -----------------------------

    2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
    2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\GiPo@Utilities
    2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
    2008-01-08 14:01:32 0 d-------- C:\WINDOWS\system32\drivers\down
    2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
    2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
    2007-12-27 15:58:08 6 --a------ C:\WINDOWS\ls.bat
    2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
    2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
    2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
    2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
    2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
    2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
    2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
    2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
    2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


    -- Find3M Report ---------------------------------------------------------------

    2008-01-09 09:36:18 0 d-------- C:\Archivos de programa\Spyware Doctor
    2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
    2008-01-08 16:15:09 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
    2008-01-08 15:54:29 0 d-------- C:\Archivos de programa\Util
    2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes
    2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
    2008-01-08 10:46:05 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
    2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
    2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
    2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
    2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
    2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
    2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
    2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
    2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
    2007-12-26 12:01:30 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
    2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
    2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
    2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
    2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
    2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
    2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
    2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
    2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
    2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
    2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
    2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
    2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
    2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
    2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
    2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
    2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
    2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
    2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
    2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
    2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
    2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
    "nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
    "RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
    "Alcmtr"="ALCMTR.EXE" [06/15/2007 02:03 AM C:\WINDOWS\Alcmtr.exe]
    "Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
    "SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
    "NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
    "zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
    "FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
    "NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
    "BOC-425"="C:\ARCHIV~1\Util\CBOClean\BOC425.exe" [08/08/2007 07:49 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]
    "msnmsgr"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe" [01/19/2007 01:55 PM]
    "TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [06/10/2005 08:05 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"=0 (0x0)

    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12




    -- End of Deckard's System Scanner: finished at 2008-01-09 10:08:02 ------------

  5. #5
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    DSS did not open an "extra" report (it's not also in c:\Deckard\System Scanner\, where only main.txt is to be found (?).

    Guillermo

  6. #6
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Hello Guillermo

    We will have you fixed in no time, I just need you to do something important first.

    Can you run IceSword.exe again and take a screenshot of the following areas for me. Make sure IceSword is full screen and you have nothing in the way

    Can you go into the Process Function, and make sure these files are visible in the screenshot

    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe


    Then can you go into the SSDT function and make sure files are visible in another screenshot

    srosa.sys
    iksysflt.sys
    guard.sys (AVG)


    Then can you host the screenshots on this site, or whatever one you want, for me to download from

    http://www.mediafire.com/


    Let me know if you have any problems. We can fix this problem today once you do the above.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  7. #7

  8. #8
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    I have been browsing the folders that seem to contain the problematic files, and in c:\WINDOWS\system32\drivers\ I found srosa.sy_ created yesterday (01/08), last modified today, 108,928 bytes, same size as srosa.sys.

    Perhaps this is important, perhaps this is from where the virus kept reapearing, so I wanted to let you know.

    Guillermo

  9. #9
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Thank you very much for doing that Guillermo

    Let us remove the infection now. Do all these steps in the one go and do not reboot your PC until I tell you to.



    Run IceSword.exe

    Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following processes one by one, and choose "Terminate Process". This will kill the rooted processes.

    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe



    Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the file(s) in bold.

    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe
    C:\Windows\System32\drivers\srosa.sys
    C:\WINDOWS\ls.bat




    1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


    2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



    Reboot and post a new IceSword logs from Processes, Win32 Services, and SSDT, along with a new DSS log, and tell me how all that went and if you had any problems.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  10. #10
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Hi. Partial success, as you will see. I did what you said (and deleted also the srosa.sy_). Wintems.exe is gone from the Processes, but hldrrr.exe is there as is srosa.sys in the SSDT list.

    C:\WINDOWS\ls.bat is a script of my own, that runs dir /w when I mistakenly type ls on a console... I deleted it anyway, for you to be sure.

    Here are the logs:

    Process:

    System Idle Process
    System
    C:\ARCHIV~1\Util\CBOClean\BOCore.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
    C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Util\IceSword\IceSword.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\drivers\hldrrr.exe

    Started Service:

    Service Name:AudioSrv Display Name:Audio de Windows
    Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
    Service Name:BOCore Display Name:BOCore
    Service Name:Browser Display Name:Examinador de equipos
    Service Name:CryptSvc Display Name:Servicios de cifrado
    Service Name:DcomLaunch Display Name:Iniciador de procesos de servidor DCOM
    Service Name:Dhcp Display Name:Cliente DHCP
    Service Name:dmserver Display Name:Administrador de discos lógicos
    Service Name:Dnscache Display Name:Cliente DNS
    Service Name:ERSvc Display Name:Servicio de informe de errores
    Service Name:Eventlog Display Name:Registro de sucesos
    Service Name:EventSystem Display Name:Sistema de sucesos COM+
    Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
    Service Name:FileZilla Server Display Name:FileZilla Server FTP server
    Service Name:gusvc Display Name:Google Updater Service
    Service Name:helpsvc Display Name:Ayuda y soporte técnico
    Service Name:lanmanserver Display Name:Servidor
    Service Name:lanmanworkstation Display Name:Estación de trabajo
    Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
    Service Name:Netman Display Name:Conexiones de red
    Service Name:NVSvc Display Name:NVIDIA Display Driver Service
    Service Name:PlugPlay Display Name:Plug and Play
    Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
    Service Name:PolicyAgent Display Name:Servicios IPSEC
    Service Name:ProtectedStorage Display Name:Almacenamiento protegido
    Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
    Service Name:RemoteRegistry Display Name:Registro remoto
    Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
    Service Name:SamSs Display Name:Administrador de cuentas de seguridad
    Service Name:Schedule Display Name:Programador de tareas
    Service Name:seclogon Display Name:Inicio de sesión secundario
    Service Name:SENS Display Name:Notificación de sucesos del sistema
    Service Name:ShellHWDetection Display Name:Detección de hardware shell
    Service Name:Spooler Display Name:Cola de impresión
    Service Name:srservice Display Name:Servicio de restauración de sistema
    Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
    Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
    Service Name:TapiSrv Display Name:Telefonía
    Service Name:TermService Display Name:Servicios de Terminal Server
    Service Name:Themes Display Name:Temas
    Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
    Service Name:W32Time Display Name:Horario de Windows
    Service Name:WebClient Display Name:Cliente Web
    Service Name:winmgmt Display Name:Instrumental de administración de Windows


    SSDT (images, still cannot dump logs):
    http://cabfst28.cnea.gov.ar/~abramso...s/is-ssdt1.jpg
    http://cabfst28.cnea.gov.ar/~abramso...s/is-ssdt2.jpg
    http://cabfst28.cnea.gov.ar/~abramso...s/is-ssdt3.jpg
    http://cabfst28.cnea.gov.ar/~abramso...s/is-ssdt4.jpg

    DSS in following post.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •