Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: papasmurf; Still Thinking; Turbopilot

Looks like the problem is a nasty rootkit infection. I now can’t even get online through dial-up (using someone else’s PC right now).

There is a process called /S /C {7007-ACC7-3202-1101-AAO2-20805FC1270E / I {10DF43C8-11D3-8B-34-006097DF58-D43 / X 0x401 ...

...running here and there on my machine.

It shows up for a few minutes, then disappears, only to reappear later, sometimes up to nine instances of it running simultaneously.

A file, a registry key? Both?

I am going to try removing it using AVG Anti-Rootkit and/or Icesword.

When I try to terminate these malicious processes, I get an “access denied” error, so I’m pretty much stonewalled.

HiJackThis and every other utility I’ve run doesn’t even show this process running.

Only thing that has showed it running is a software called Spyware Process Terminator.

When I do a Start > run > cmd > ipconfig I get a response such as: “a media is disconnected,” even though the network card is enabled and working fine (in fact, I updated the drivers last night). Plus, the Ethernet cable is plugged in and I’m 100% positive the problem isn’t with the cable.

Anyone have any experience removing rootkits? I hear they can be pretty hard to get rid.

Thanks again very much for your suggestions and help.


26 posted on 10/23/2007 3:38:46 PM PDT by jdm
[ Post Reply | Private Reply | To 25 | View Replies ]

To: jdm
There is a tool I have used called Rootkit Revealer (download and description at link - it's on Microsoft.com but the author is a long-time Windows engineer/tinkerer and wrote the program before he was hired into Microsoft) that can find rootkits. It compares files and processes viewed from the API level with raw file data; if there are discrepancies, it's possible that a malicious process (i.e. a rootkit) is keeping the raw data from being seen by the API.

It will show you whatever might be running, but doesn't have removal capabilities. Your best bet would probably be to Google whatever it finds to see if you can find manual removal instructions. Be warned that rootkits can be very, very difficult to remove from within the runtime environment; if you have one, you may need to boot from a different kernel (such as a Linux or WinPE LiveCD) to remove it. Many people advise that the only sure cure is to fdisk/format and reinstall everything from scratch.

27 posted on 10/23/2007 3:49:01 PM PDT by Turbopilot (iumop ap!sdn w,I 'aw dlaH)
[ Post Reply | Private Reply | To 26 | View Replies ]
To: jdm

First thing...stop all internet activity, reboot into safe mode, open your network connections, go the tcp/ip properties, and change your DNS addy to the correct one.

Then, after starting up in safe mode, open your “Hosts” (Windows XP C:\WINDOWS\SYSTEM32\DRIVERS\ETC) and comment out every ip appearing address in it. Save it.

Then work on the root kit.

FRemail coming at you...


29 posted on 10/23/2007 4:41:58 PM PDT by papasmurf (sudo apt - get install FRed Thompson)
[ Post Reply | Private Reply | To 26 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson