|
| | | New Member
Group: Forum Members
Last Login: 5/19/2008 8:32 PM
Posts: 12, Visits: 36 |
| Hi. Yesterday I picked up on some rogue processes, and then over until this afternoon those few sprouted into many including (not precise) "mrofinu", "syst3m32.exe", "DILx.tmp" with "x" being a number between 1-15, and another I can't remember now. Amongst all this many important files became corrupt, including explorer.exe, and the internet was almost completely non-fucntional up until Generic Host Process (svchost.exe) crashed and took me offline properly until I restarted.
This evening I reformatted because I didn't see any possible salvage, but the problem seems to have brilliantly survived the wipe. My Temp folder is now full of DILx.tmp files again, and explorer among other things (the process that handles 16bit applications) have started to fail again. New processes, or ones I didn't notice before, have appeared, including ___r.exe and ___synmgr.exe.
I heard things can survive in the MBR, but I have no idea how to tackle this and in what order so as to actually contain the spread.
Help?
Edit: As a side note, most of the drivers I need to be installing are 16 bit, so I don't even have a working AGP chipset. |
| |
| | | 
Senior Forum Moderator
Group: Moderators
Last Login: Today @ 7:46 AM
Posts: 27,525, Visits: 54,327 |
| Welcome
Download Trend Micro HijackThis 2.0.2 to your desktop:
Double click on HJTInstall.exe,it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
When the install is complete,HijackThis will automatically launch.
When the license agreement appears,select "I Accept" and then click on the "Do a system scan only" button.
When the scan is complete,click on the "Save Log" button,then save it to your desktop.
Copy and paste the entire contents of that log into a new topic in the HijackThis Logs forum, not here.
__________________________________________________
Proud Member of ASAP (Alliance of Security Analysis Professionals).
Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).
Malware Complaints
 
|
| |
| | | New Member
Group: Forum Members
Last Login: 5/19/2008 8:32 PM
Posts: 12, Visits: 36 |
| Thanks for the reply.
http://forum.tweaks.com/forum/Topic239612-29-1.aspx |
| |
| | |
Senior Forum Moderator
Group: Moderators
Last Login: Today @ 7:46 AM
Posts: 27,525, Visits: 54,327 |
| You're welcome
__________________________________________________
Proud Member of ASAP (Alliance of Security Analysis Professionals).
Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).
Malware Complaints
|
| |
| | | 
New Member
Group: Forum Members
Last Login: Yesterday @ 5:13 PM
Posts: 38, Visits: 187 |
| You know, there is a VERY easy method to stop the problem child(s) you are seeing... & you ALREADY OWN THE TOOLS:
RECOVERY CONSOLE
(Boot from your XP/Server 2003/VISTA install media, & run it there (via bootoptions menus choices then))
OR, just install it to your OS drive, via :
1.Insert the Windows XP CD into the CD-ROM drive.
2.Click Start, and then click Run.
3.In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
4.A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.
5.Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu.
Then once you are booted & logged into it, use:
FixMBR
&
DEL (filename)
Once in the folder/directory (via CD dos command) where those rogue files are, burn them, in RC... using DEL.
* This type of info. is in my "HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, & make it 'fun to do', via CIS Tool Guidance" post in this section of these forums in fact.
(Specifically in its VIRUS/SPYWARE/ROOTKIT REMOVAL section).
You MAY have to use SECPOL.msc & give yourself rights to folders other than %windir% & its subordinates though, if the rogue files aren't underneath Windows itself... because RC's default ACL to those things is just %windir% & its subordinate folders only.
Start in Left-hand side pane of secpol.msc -> Security Settings -> Local Policies -> Security Options (now right-hand side pane of secpol.msc) -> Recovery Console: Allow Floppy Copy and Access to all drives and folders
APK
"I'm Reese: Sgt. TechComVN38416, assigned to protect you - Youve been TARGETTED FOR TERMINATION!" |
| |
| | |
Senior Forum Moderator
Group: Moderators
Last Login: Today @ 7:46 AM
Posts: 27,525, Visits: 54,327 |
| APK,this is an old topic which has since been resolved.
__________________________________________________
Proud Member of ASAP (Alliance of Security Analysis Professionals).
Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).
Malware Complaints
|
| |
| | |
New Member
Group: Forum Members
Last Login: Yesterday @ 5:13 PM
Posts: 38, Visits: 187 |
| It's only 7 days old... & the point of MY reply was to simply point out that you DON'T really need 3rd party tools for many removals... inclusive of bootsector originated ROOTKITS (fixmbr takes care of those, "lickety split, no XXXX") & as far as "trojan files" too, DEL command in RC does the job on those, same effort/speed (fast & painless).
APK
"I'm Reese: Sgt. TechComVN38416, assigned to protect you - Youve been TARGETTED FOR TERMINATION!" |
| |
| | | 
Forum Moderator
Group: Moderators
Last Login: Yesterday @ 2:21 PM
Posts: 2,711, Visits: 6,968 |
| | |
| | |
|
