Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Can't Even Launch Hjt To Create A Log


  • Please log in to reply
3 replies to this topic

#1 ijusth

ijusth

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 16 February 2008 - 01:53 PM

I install hjt using the installer. I click on the application and get an invalid win32 message error. I went into the folder and right cllikced on the excutable and the effort locks up (task manager shows it as not responding). Tried to rename from the CMD prompt and that doesn't work either. Most of the other anti virus programs I have tried also are failing with the invalid win32 message. FSecure Blacklight has found hldrr.exe and their log (see attached) also shows srosa.sys. Tried various things to clean things up but so far no success. As further info I had spybot and trend micro running when I got the infection. Both program stopped working and reinstalls fail. The program flashs and disappears or gets the invalid win32 message. Virtmundo doesn't show up at least.

Attached Files



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 PM

Posted 16 February 2008 - 04:59 PM

One or more of the identified infections is related to a nasty rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ijusth

ijusth
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 16 February 2008 - 06:10 PM

I don't do any online banking from this machine or have CC data on it. Other then logging into forums or such there isn't much exposed I think so I think starting with rootkit removal should suffice. The only other thing is Paypal/ebay and I will change those passwords from a different machine. One big issue wiht a complete reformat is that I can't find my original XP disks (I have 2 CDs I placed into 1 box but can't find that box now). Until I do, that option is out.

Please let me know how to proceed.



EDIT


found my install discs (only sp1 so will need to do the sp2 thing afterwards) so this is a last chance option now

Edited by ijusth, 16 February 2008 - 11:05 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 PM

Posted 17 February 2008 - 08:01 AM

Did you try to use Blacklight to rename these files? If not, then use Blacklight in exactly the same way as before, but when it shows the list of the items found, select hldrrr.exe and srosa.sys and choose to let Blacklite rename them by clicking the Rename button.
  • Next to each entry, "rename" should appear.
  • Click "Next".
  • Blacklight will give you a warning if you are sure. Click "Yes".
  • Then it will tell you: "Your computer will reboot now"
  • Click "Yes".
If you need instructions with screenshots, see Using Blacklight to detect and remove Rootkits and How do I use F-Secure BlackLight?.

Search for and delete the following file(s) in bold if still present.
C:\WINDOWS\System32\wintems.exe <- this file

You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them. To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file. If you still have problems, then delete the file(s) in "Safe Mode".

Then download Sophos Anti-rootkit & save it to your desktop.
Print out and follow the scan instructions provided in the Sophos Anti-Rookit User Manual. A copy of this manual (sarman.pdf) can also be found inside the program folder after installation.
  • Double-click sarsfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • When the scan is complete select only items recommended for removal, then click "Clean up checked items".
  • Clean up will begin after you restart your computer and you will perform a second scan.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users