Jump to content

joaquin

Members
  • Posts

    19
  • Joined

  • Last visited

Reputation

0 Neutral
  1. All done. Borislav, thank you very much for your invaluable help. You really made my day! Best regards,
  2. Done sir. Sorry it took me so long to respond, I've been away these last two days. Evrything seems to be running smoohtly with my laptop now.
  3. Sorry, forgot to attack the Dr.Web log, here you are. DrWeb.txt
  4. When running Dr.Web, a HDD boot record backdoor infection was detected that required immediate rebooting. After that I ran Dr.Web again to completion, detecting three infections, succesfully cured. Upon rebooting, I don't know why. an atomatic chkdsk was executed by the OS. Please find attached the Dw.Web log and a HijackThis log. hijackthis.txt
  5. This is what ESET found: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=ab41b08371e8854eaafd8f26b877b154 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-25 12:46:47 # local_time=2010-05-25 02:46:47 (+0100, Romance Daylight Time) # country="Spain" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 41653620 41653620 0 0 # compatibility_mode=8192 67108863 100 0 255 255 0 0 # scanned=617179 # found=2 # cleaned=2 # scan_time=14113 C:\WINDOWS\LastGood\system32\drivers\ndis.sys Win32/Protector.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\drivers\OLD569.tmp Win32/Protector.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
  6. Here you are. Shall we declare the laptop clean? mbam_log_2010_05_24__22_33_42_.txt
  7. Here it is. Note that I did not include the following in the report: * Files (too many otherwise harmless hidden files, the tool stucks after some scanning) * SSDT (crashes it this is included) * Shadow SSDT, Callbacks (you didn't request those yesterday). Log follows. If you want I can try with some other scanner of your choice. ROOTREPEAL © AD, 2007-2010 ================================================== Report Save Time: 2010/05/24 22:12 Program Version: Version 2.0.0.0 Windows Version: Windows XP Media Center Edition SP2 ================================================== DRIVERS ------------------- File Invisible catchme.sys 0xf7892000 C:\DOCUME~1\JOAQUN~1\LOCALS~1\Temp\catchme.sys, 31744 bytes File Invisible dump_atapi.sys 0xf3eb2000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes File Invisible dump_WMILIB.SYS 0xf7afc000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes File Invisible mbr.sys 0xf78c2000 C:\DOCUME~1\JOAQUN~1\LOCALS~1\Temp\mbr.sys, 20864 bytes File Invisible PROCEXP113.SYS 0xf7b94000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS, 7872 bytes File Invisible rootrepeal.sys 0xb9837000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes PROCESSES ------------------- 4 - System 136 - C:\WINDOWS\system32\nvsvc32.exe 192 - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe 292 - C:\WINDOWS\system32\svchost.exe 332 - C:\WINDOWS\system32\svchost.exe 360 - C:\WINDOWS\system32\wdfmgr.exe 368 - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe 440 - C:\WINDOWS\system32\smss.exe 508 - C:\WINDOWS\system32\csrss.exe 532 - C:\WINDOWS\system32\winlogon.exe 580 - C:\WINDOWS\system32\services.exe 596 - C:\WINDOWS\system32\lsass.exe 720 - C:\WINDOWS\ehome\mcrdsvc.exe 724 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe 740 - C:\WINDOWS\explorer.exe 768 - C:\WINDOWS\system32\svchost.exe 832 - C:\WINDOWS\system32\svchost.exe 872 - C:\WINDOWS\system32\svchost.exe 920 - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe 956 - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe 992 - C:\WINDOWS\system32\svchost.exe 1108 - C:\WINDOWS\system32\svchost.exe 1264 - C:\WINDOWS\system32\spoolsv.exe 1304 - C:\WINDOWS\system32\scardsvr.exe 1360 - C:\WINDOWS\system32\svchost.exe 1508 - C:\WINDOWS\ehome\ehrecvr.exe 1528 - C:\WINDOWS\ehome\ehSched.exe 1676 - C:\WINDOWS\system32\gearsec.exe 1744 - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe 1936 - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 2000 - C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe 2204 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe 2260 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe 2672 - C:\WINDOWS\system32\dllhost.exe 2848 - C:\WINDOWS\system32\wscntfy.exe 2888 - C:\WINDOWS\system32\alg.exe 3472 - C:\WINDOWS\system32\wuauclt.exe 4740 - C:\WINDOWS\system32\svchost.exe 4868 - C:\Documents and Settings\Joaqu
  8. sfc /scannow ran without any prompt for the Windows CD-ROM or anyrhing. Then I downloaded ComboFix and proceed as usual, log attached. Things are looking better now, if I remember well previous logs included a .sys driver file not reported here. Combo_Fix.txt
  9. Did as instructed. No hidden services detected, no need to reboot the system. Log follows: 19:56:09:339 5356 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17 19:56:09:339 5356 ================================================================================ 19:56:09:339 5356 SystemInfo: 19:56:09:339 5356 OS Version: 5.1.2600 ServicePack: 2.0 19:56:09:339 5356 Product type: Workstation 19:56:09:339 5356 ComputerName: YOUR-5E21EC80DE 19:56:09:339 5356 UserName: Joaqu
  10. Hi again, this is how step 2 went: Step 2: As my infected laptop didn't have a properly running DNS service, I had to do a fast analysis with MBAM to restore the machine to a more or less working condition (log attached). Then I proceeded with the rest of step 2 as instructed. The produced log is attached. mbam_log_2010_05_24__19_08_17_.txt Combo_Fix.txt
  11. While waiting for your instructions on ths one, I disabled WiFi (given that DNS is not working I feel it safer to disconnect the laptop from the Internet) and tried the following: 1. Run RootRepeal scan with the following sections: # Drivers # Processes # SSDT # Stealth Objects # Hidden Services That is, the sections you mentioned except Files. RootRepeal crash within the SSDT section 2. Run RootRepeal scan with the following sections: # Drivers # Processes # Stealth Objects # Hidden Services That is, as in 1 but without SSDT. The report produces was: ROOTREPEAL © AD, 2007-2010 ================================================== Report Save Time: 2010/05/23 19:46 Program Version: Version 2.0.0.0 Windows Version: Windows XP Media Center Edition SP2 ================================================== DRIVERS ------------------- Hidden <empty> 0x00000000 <empty>, 4084 bytes File Invisible dump_atapi.sys 0xf4050000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes File Invisible dump_WMILIB.SYS 0xf7b2c000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes File Invisible rootrepeal.sys 0xb9837000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes PROCESSES ------------------- 4 - System 392 - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 516 - C:\WINDOWS\system32\smss.exe 544 - C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe 576 - C:\WINDOWS\system32\csrss.exe 604 - C:\WINDOWS\system32\winlogon.exe 648 - C:\WINDOWS\system32\services.exe 664 - C:\WINDOWS\system32\lsass.exe 848 - C:\WINDOWS\system32\svchost.exe 896 - C:\WINDOWS\system32\svchost.exe 956 - C:\WINDOWS\system32\svchost.exe 1024 - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe 1088 - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe 1140 - C:\WINDOWS\system32\svchost.exe 1220 - C:\WINDOWS\system32\svchost.exe 1264 - C:\WINDOWS\system32\nvsvc32.exe 1312 - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe 1412 - C:\WINDOWS\system32\svchost.exe 1440 - C:\WINDOWS\system32\spoolsv.exe 1480 - C:\WINDOWS\system32\scardsvr.exe 1532 - C:\WINDOWS\system32\svchost.exe 1572 - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe 1584 - C:\WINDOWS\system32\svchost.exe 1628 - C:\WINDOWS\system32\wscntfy.exe 1684 - C:\WINDOWS\system32\wdfmgr.exe 1736 - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe 1844 - C:\WINDOWS\ehome\ehrecvr.exe 1880 - C:\WINDOWS\ehome\ehSched.exe 1924 - C:\WINDOWS\system32\gearsec.exe 1976 - C:\WINDOWS\explorer.exe 2000 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe 2272 - C:\WINDOWS\ehome\mcrdsvc.exe 2552 - C:\WINDOWS\system32\wuauclt.exe 2600 - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe 2624 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe 2700 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe 3180 - C:\WINDOWS\system32\dllhost.exe 3436 - C:\WINDOWS\system32\alg.exe 3468 - C:\WINDOWS\system32\svchost.exe 3476 - C:\WINDOWS\system32\svchost.exe 3484 - C:\WINDOWS\system32\svchost.exe 3492 - C:\WINDOWS\system32\svchost.exe 5320 - C:\WINDOWS\system32\wbem\wmiprvse.exe 5416 - C:\WINDOWS\system32\wuauclt.exe 5504 - C:\Documents and Settings\Joaqu
  12. I can't download directly into my infected computer because by now DNS is non-working (it works again after MBAM disinfection, but I refrained from doing so so as to keep to your instructions). Instead I downloaded it in a clean computer, transferred with a memory stick and launched it as instructed; after some minutes of work the program has stuck and is unresponsive. The likely reason for this is (in my opinion) that it's listing thousands of hidden files and it ran out of internal resources or something. As for the huge numbers of hidden files reported, the reason is that I have some very big SVN projects which typically create large numbers of hidden files for instrumentation purposes. I think these files are harmless, in any case. Shall I rerun RootRepeal without checking the Files section? Shall I delete those folders and try again?
  13. OK, I canceled GMER scan, turned WiFi on and did a fast analysis with MBAM, which yielded 5 infected objects, including the resistant ipsecndis and ntndis. Log attached. Awaiting your instructions Thank you for your help. mbam_log_2010_05_23__18_32_46_.txt
  14. In what respect? There's no obvious infection signs, but this is probably because WiFi is still disabled (it is when enabled that infections bloom). I can rescan with MBAM and let you know if you'd like.
  15. After six hours or so of scanning, when it seemed about to finish, GMER stuck and became unresponsive, and further attempts to close it or shut down the system didn't work. I rebooted the hard way and produced a GMER log with all the options except IAT/EAT and Files (the latter being the culprit for the process taking hours). Log attached. As I'm writing this I've initiatiated another full scan with Files included just in case it manages to complete succesfully (in six hours), please tell me if we should wait or whether we can progress from the limited log attached here. GMER.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.