another trojan rootkit cw

15 years ago

Hi,

I posted on Pam's thread, but I was asked to start a new thread here. My computer got infected today, seems to be the same deal as Pam posted about. Here is the Malwarebytes log--this is from the full scan, I had previously done a quick scan:

Malwarebytes' Anti-Malware 1.35

Database version: 1940

Windows 5.1.2600 Service Pack 2

4/4/2009 3:17:26 PM

mbam-log-2009-04-04 (15-17-26).txt

Scan type: Full Scan (A:\:C:\:D:\:E:\:)

Objects scanned: 190090

Time elapsed: 51 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkotibebaxixoy (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\amd64si.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\fips32cup.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\port135sik.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\netsik.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\nicsk32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\upuwusuyanami.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\securentm.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN23.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN24.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\BN2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

It also popped up a message that not all could be removed and that I need to restart my computer to do so. SO I'm posting this and then I'll restart the computer.

Thank you so much.

Sue

Sort by:Oldest

Comments (21)

susanrk
Original Author
15 years ago
last modified: 9 years ago
And in case it helps, here is the log from the quick scan I did a little while before the full scan:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 2

4/4/2009 2:16:43 PM
mbam-log-2009-04-04 (14-16-43).txt

Scan type: Quick Scan
Objects scanned: 119871
Time elapsed: 18 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\securentm (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\securentm (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ws2_32sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ws2_32sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkotibebaxixoy (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digiwet.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\securentm.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\port135sik.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ws2_32sik.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ayoqububukukaseg.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\wpv631238699393.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN4E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN4F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN50.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN51.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN52.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN53.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN54.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN5D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN5E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN5F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN60.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN61.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN62.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN63.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN64.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN65.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN66.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN67.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN68.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN69.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN6A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN71.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN74.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN75.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN76.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digiwet.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ksi32sk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
daylilydayzed
15 years ago
last modified: 9 years ago
Also empty your restore points. Go to Start-Program-Accessories-System Tools-System Restore-System Restore Settings. Turn it off and reboot your computer . Upon reboot , once computer is up and running again Repeat the steps I have outlined and Turn the System Restore settings back on and create a clean restore point.
Related Discussions
System Danger from Microsoft
Q
Comments (29)
RC, Not sure what you mean by copy and type what it shows for the question you're having problems with. I can't register, so, I can't reply to the thread. I feel like such a dunce. I'll keep watching the thread and perusing the loads of info they have there. On the anti-bot question: What's the code? The color that matches its name is Orange, right? Number of letters that's repeated in the recording is 5, right? Sorry if I shouldn't be mentioning this here, but I know it's simple. I guess I'm even more simple because I can't figure it out.
...See More
How to remove winpc defender
Q
Comments (11)
Thanks so much! I did run Malwarebytes this morning, but it didn't remove the defender program. This afternoon it did. I must have done something wrong. Here is the log: (Let me know if you think I should do something else.) Malwarebytes' Anti-Malware 1.34 Database version: 1864 Windows 5.1.2600 Service Pack 3 3/18/2009 1:28:12 PM mbam-log-2009-03-18 (13-28-12).txt Scan type: Quick Scan Objects scanned: 73661 Time elapsed: 7 minute(s), 57 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: C:\Documents and Settings\Stephanie Turner\Application Data\pcdefender.exe (Rogue.Installer) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\ieocxapp.ieocx (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\(a54dc52d-7aad-4d40-a126-337211631edc) (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\(4b66e1df-4de3-4cda-83b5-11673eadab0b) (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\(96ad72e4-2e2b-4ffc-a5bb-279c2714af12) (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\(96ad72e4-2e2b-4ffc-a5bb-279c2714af12) (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(96ad72e4-2e2b-4ffc-a5bb-279c2714af12) (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\ieocxapp.ieocx.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysav (Rogue.Installer) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Stephanie Turner\Application Data\pcdefender.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\ieocx.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\Stephanie Turner\Application Data\BIT3E.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
...See More
Trojan horse Rootkit CW uh oh
Q
Comments (35)
This is the second Malwarebytes scan after I removed everything I could from the first scan results. Malwarebytes' Anti-Malware 1.35 Database version: 1939 Windows 5.1.2600 Service Pack 3 04/03/2009 11:04:36 PM mbam-log-2009-04-03 (23-04-36).txt Scan type: Full Scan (C:\:) Objects scanned: 119355 Time elapsed: 47 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 15 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpi32 (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore"415790D9-BB81-41AF-9469-EEC2DB43FA43>\RP997\A0179839.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\acpi32.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\amd64si.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\netsik.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\nicsk32.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\fips32cup.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\i386si.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\ati64si.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
...See More
Computer - spyware/adware problem. ? what should I do
Q
Comments (17)
I read this forum quite regularly, but rarely post here...But sometimes.... I just gotta say it..... You people are nuts...... I am quite used to people telling me I am nuts and have no idea what I am talking about when it comes to such matters, BUT since I am never, make that NEVER the one who has neither virus/malware issues and problems and NEVER have spent even a dime nor any time on such matters, the reality of the situation is that I and the few other Linux users here are really the only ones who have any idea what they are talking about when it comes to PC Operating Systems and PC "security".... A whole forum of "what should I get","what's wrong" "I bought/installed and/but" "what should I do". Soon many reading this will be thinking "Oh he's just one of those Linux nutscases" But, ask yourself, does he "Buy this", "get this", "do this"......Oh yeah, and then ask yourself if your system can match mine on safety, security, performance. I have yet to have either of these boxes contract a virus or a worm or a root-kit nor any other form of malware, not bad for systems running zero AV/security software..... I very rarely ever disconnect from the W3 and rarely ever even turn either of these things off. I have 4 browsers running right now and my email account has been open for days. Other than an outgoing firewall, I am currently running absolutely zero "security" software of any kind. And no reformatting, no scans, no defrags, no registry anythings. I watch videos, play music, redo photo's, make phone calls and do all sorts of other sometimes fun stuff with neither and never a worry nor a care. And my total investment in Operating Systems and software on both boxes equals zero dollars and zero cents. And all my upgrades/dates are free too..... Do yourselves a big favor and go to distrowatch.com, read about the different flavors of Linux and pick yourself out a few LiveCD versions to trial. Or you can always just wait for MSWin7 to be released and start buying all sorts of new software to go along with your already penetrated and compromised, outdated and obsolete brand new high dollar Operating System. Some of the new Linus distro's are so simple to install and use that my best friends 59 y.o.wife has installed several different versions on the same hard-drive and has figured out how to use them all with little more than dang near no assistance from any body. She has even figured out how to use Knoppix6 full time and save everything she does/wants to a persistant image. Oh yeah, she is really good at kids and cooking and sewing and fishing and growing things and all sorts of DIY stuff, but, when it comes to computers, she has the techno-savvy and training of your average box of rocks..... Dang folks....even my daughter, whose "technotude" is somewhat close to absolutely zero has installed and has everything running and learned the ins and outs of both SimplyMepis and VectorLinux on her PC all by her little ol' self. And while her friends are having regular issues after frequenting such mandatory malware magnet sites as YouTube, and MySpace she has nothing of the sort, ever.... But, if you wanna believe that you must MUST have MSWin-something, feel free to spend way too much for way too little, and want to keep spending and installing/scanning/removing/etc for no other reason than you insist on running something as shaky and insecure as Vista1, hurry up and buy the fix for Vista1, Vista2, otherwise known as MSWin7, that's certainly your right.... Well, let's see...I may have exaggerated things a bit by stating the "free" thing........Getting Linux will cost you somewhere around $.125 for a blank CD-R, or the current cost of a blank DVD-R.... HAGD Here is a link that might be useful: better than MSWindows, IMHO it is anyway
...See More
zep516
15 years ago
last modified: 9 years ago
Do not empty the restore points
zep516
15 years ago
last modified: 9 years ago
Click Here to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Â Doubleclick on the HJTInstall.exe icon on your desktop.
Â By default it will install to C:\Program Files\Trend Micro\HijackThis .
Â Click on Install.
Â It will create a HijackThis icon on the desktop.
Â Once installed, it will launch Hijackthis.
Â Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Â Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your next post.
DO NOT use the AnalyzeThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a spyware fighter will guide you.
susanrk
Original Author
15 years ago
last modified: 9 years ago
I already followed daylilydazed's instructions up to the point of "create a restore point" before I saw zep's instructions not to do so. Now what?
zep516
15 years ago
last modified: 9 years ago
Cont with hijackthis instruction , above get out of system restore.
susanrk
Original Author
15 years ago
last modified: 9 years ago
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:21 PM, on 4/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Owner\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - (3CA2F312-6F6E-4B53-A66E-4E65E497C8C0) - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - (A057A204-BACC-4D26-9990-79A187E2698E) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - (AA58ED58-01DD-4d91-8333-CF10577473F7) - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - (AF69DE43-7D58-4638-B6FA-CE66B5AD205D) - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: (no name) - (BA52B914-B692-46c4-B683-905236F6F655) - (no file)
O3 - Toolbar: (no name) - (0BF43445-2F28-4351-9252-17FE6E806AA0) - (no file)
O3 - Toolbar: &Google Toolbar - (2318C2B1-4965-11d4-9B18-009027A5CD4F) - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - (A057A204-BACC-4D26-9990-79A187E2698E) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Vkotibebaxixoy] rundll32.exe "C:\WINDOWS\aleritul.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i
O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: (6414512B-B978-451D-A0D8-FCFDF33E833C) (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188145865578
O18 - Protocol: linkscanner - (F274614C-63F8-47D5-A4D1-FBDDE494F8D1) - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 5102 bytes
susanrk
Original Author
15 years ago
last modified: 9 years ago
I will check back in late this evening. Thank you so much for your continued help!

Sue
zep516
15 years ago
last modified: 9 years ago
Download random's system information tool (RSIT) by random/random see link below.
save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt( will be maximized) and info.txt (will be minimized)

Click RIST SAVE FILE TO DESKTOP
susanrk
Original Author
15 years ago
last modified: 9 years ago
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-04-04 16:34:24
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 136 GB (89%) free of 153 GB
Total RAM: 510 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:31 PM, on 4/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Documents and Settings\Owner\Owner.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - (3CA2F312-6F6E-4B53-A66E-4E65E497C8C0) - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - (A057A204-BACC-4D26-9990-79A187E2698E) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - (AA58ED58-01DD-4d91-8333-CF10577473F7) - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - (AF69DE43-7D58-4638-B6FA-CE66B5AD205D) - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: (no name) - (BA52B914-B692-46c4-B683-905236F6F655) - (no file)
O3 - Toolbar: (no name) - (0BF43445-2F28-4351-9252-17FE6E806AA0) - (no file)
O3 - Toolbar: &Google Toolbar - (2318C2B1-4965-11d4-9B18-009027A5CD4F) - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - (A057A204-BACC-4D26-9990-79A187E2698E) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Vkotibebaxixoy] rundll32.exe "C:\WINDOWS\aleritul.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i
O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: (6414512B-B978-451D-A0D8-FCFDF33E833C) (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188145865578
O18 - Protocol: linkscanner - (F274614C-63F8-47D5-A4D1-FBDDE494F8D1) - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 5335 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(06849E9F-C8D7-4D59-B87D-784B7D6BE0B3)]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-27 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(761497BB-D6F0-462C-B6EB-D4DAF1D92D43)]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll [2007-05-02 440056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(A057A204-BACC-4D26-9990-79A187E2698E)]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-03-27 1968920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(AA58ED58-01DD-4d91-8333-CF10577473F7)]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-02-21 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(AF69DE43-7D58-4638-B6FA-CE66B5AD205D)]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-02-22 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
(BA52B914-B692-46c4-B683-905236F6F655)
(0BF43445-2F28-4351-9252-17FE6E806AA0)
(2318C2B1-4965-11d4-9B18-009027A5CD4F) - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-02-21 251504]
(A057A204-BACC-4D26-9990-79A187E2698E) - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-03-27 1968920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2005-10-19 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-10-19 126976]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-04-11 53248]
"EPSON Stylus CX3800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE [2005-02-07 98304]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-09 63712]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe [2007-05-02 75520]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-27 1932568]
"Vkotibebaxixoy"=C:\WINDOWS\aleritul.dll [2007-03-08 157184]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\MSMSGS.EXE [2004-10-13 1694208]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-11-23 68856]
"Owner"=C:\Documents and Settings\Owner\Owner.exe [2009-04-04 20419]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-27 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
bosr40.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome"
"C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat"="C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE"="C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE:*:Enabled:SC3UpdaterMFC"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ENABLE"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-04-04 16:34:24 ----D---- C:\rsit
2009-04-04 16:02:42 ----D---- C:\Program Files\Trend Micro
2009-03-28 00:03:10 ----HD---- C:\$AVG8.VAULT$
2009-03-27 22:26:41 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-27 22:26:34 ----D---- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2009-03-27 22:26:20 ----D---- C:\Program Files\AVG
2009-03-27 22:26:19 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-13 17:45:57 ----D---- C:\~MSSETUP.T
2009-03-13 17:44:55 ----D---- C:\Program Files\Maxis
2009-03-13 17:36:43 ----A---- C:\WINDOWS\IsUninst.exe
2009-03-11 03:01:07 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:00:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$

======List of files/folders modified in the last 1 months======

2009-04-04 16:34:31 ----D---- C:\WINDOWS\Prefetch
2009-04-04 16:31:38 ----D---- C:\WINDOWS\system32\drivers
2009-04-04 16:02:42 ----RD---- C:\Program Files
2009-04-04 15:50:21 ----D---- C:\Program Files\Mozilla Firefox
2009-04-04 15:35:39 ----SHD---- C:\System Volume Information
2009-04-04 15:35:39 ----D---- C:\WINDOWS\system32\Restore
2009-04-04 15:35:23 ----D---- C:\WINDOWS\Temp
2009-04-04 15:34:05 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-04 15:30:14 ----D---- C:\WINDOWS
2009-04-04 14:20:07 ----D---- C:\WINDOWS\system32
2009-04-04 13:56:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-28 13:46:58 ----SHD---- C:\RECYCLER
2009-03-27 23:27:11 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-03-27 23:27:11 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-27 23:27:10 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-27 23:27:08 ----HD---- C:\WINDOWS\inf
2009-03-27 22:25:42 ----SHD---- C:\WINDOWS\Installer
2009-03-27 22:25:40 ----D---- C:\WINDOWS\WinSxS
2009-03-27 22:23:21 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2009-03-13 17:50:46 ----RSD---- C:\WINDOWS\Fonts
2009-03-13 17:46:24 ----D---- C:\Program Files\Microsoft Office
2009-03-13 17:46:10 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-11 06:21:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-11 03:01:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-11 03:01:02 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 13:38:09 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-27 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-27 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-28 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 21248]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S2 ati64si;ati64si; \??\C:\WINDOWS\system32\drivers\ati64si.sys []
S2 fips32cup;fips32cup; \??\C:\WINDOWS\system32\drivers\fips32cup.sys []
S2 i386si;i386si; \??\C:\WINDOWS\system32\drivers\i386si.sys []
S2 netsik;netsik; \??\C:\WINDOWS\system32\drivers\netsik.sys []
S2 nicsk32;nicsk32; \??\C:\WINDOWS\system32\drivers\nicsk32.sys []
S2 port135sik;port135sik; \??\C:\WINDOWS\system32\drivers\port135sik.sys []
S2 securentm;securentm; \??\C:\WINDOWS\system32\drivers\securentm.sys []
S2 ws2_32sik;ws2_32sik; \??\C:\WINDOWS\system32\drivers\ws2_32sik.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-03-27 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------
susanrk
Original Author
15 years ago
last modified: 9 years ago
message I got:

Illegal String Alert:

Your message contains an illegal string of characters. This string may be an HTML code that would pose a security problem OR it may a word that can be construed as profanity.

Try going back and removing any HTML code from the message and/or scan it for any words that could be construed as profanity or might be similarly objectionable.

There are security concerns that prevent us from providing you with the string.

We realize you may be using this code and/or language innocently, but our programming cannot make that determination.

Thank you for your cooperation.
zep516
15 years ago
last modified: 9 years ago
Got ya can't do it here on HTML. That's ok go back to pams thread follow the directions for posting at the other forum.

Follow the same directions I gave pam...Thats the forum in the link below.
ravencajun Zone 8b TX
15 years ago
last modified: 9 years ago
Definitely go on over to LzD and put a link back to this thread in your new thread there so the team is up to where you are.

Never ever remove restore points when working with a removal until told you are all clear and we know things are working then the very last step will take care of clearing the restore points, should you get an infection that causes the need to go back to a former restore point we need them even if it is infected we can deal with that but if we have no restore points at all we are in a worse state. so always the last step after full clean will be the restore points.
ravencajun Zone 8b TX
15 years ago
last modified: 9 years ago
susan I can start a thread there for you but you will need to go ahead and register there and look in this area for your thread.
HijackThis Logs

look for the thread with your name on it and please follow all instructions given by the team step by step, if you have problems or don't understand please just ask, it takes time to do this so be patient.
zep516
15 years ago
last modified: 9 years ago
Wonder where this is coming from this is # 3 in less the 24hrs
susanrk
Original Author
15 years ago
last modified: 9 years ago
Hi,

I've been trying to get registered at Landzdown for the past few hours and I still haven't received my activation email. (yes, I checked spam folder). I even tried re-registering using a diff. user name, email, etc, from my uninfected laptop, and I can't get an activation email on there either. So that's why I haven't responded to the thread over there that you guys so kindly started for me. I guess I will just go ahead and follow the instructions posted there, and if I have questions, I'll have to post them here. Thanks again,

Sue
susankarberg_sbcglobal_net
15 years ago
last modified: 9 years ago
Sorry to have to post this here; I am still unable to register at Landzdown. If someone could post this over there, I'd appreciate it very much.

I completed the instructions, and had just copied the combofix log and was about to post it here when the screen suddenly went black and then the blue screen came on. It says:

A Problem has been detected and windows has been shut down to prevent damage to your computer.

BAD_POOL-CALLER

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or softwar is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows jupdates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F to select Advanced Strtup Options, and then select safe mode.

Technical information:

*** STOP: 0x000000c2 (0x00000007 , 0x00000CD4 , 0x000016EB, 0x81795430)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance.

I just typed all of that here (I'm on a different computer) and the blue screen is still up, and the computer is making "working" noise. Should I just turn the power off? I have no idea what to do now.

Thanks,

Sue
owbist
15 years ago
last modified: 9 years ago
According to the link below your ATI RAGE video driver is corrupt.
susanrk
Original Author
15 years ago
last modified: 9 years ago
Hmm, the affected computer is a pretty basic Dell Dimension desktop that I bought in 2004 or 2005; I know I didn't get any special video cards put in it. Is ATI RAGE something that would have been standard on a basic desktop then? Sorry, I don't know much about the inner workings of computers.
ravencajun Zone 8b TX
15 years ago
last modified: 9 years ago
ok glad we got you registered now at LzD, just follow their directions one step at a time and do ask questions when you have them.
susanrk
Original Author
15 years ago
last modified: 9 years ago
Thank you all so much for your help!

another trojan rootkit cw

Comments (21)

susanrk
Original Author

daylilydayzed

Related Discussions

zep516

zep516

susanrk
Original Author

zep516

susanrk
Original Author

susanrk
Original Author

zep516

susanrk
Original Author

susanrk
Original Author

zep516

ravencajun Zone 8b TX

ravencajun Zone 8b TX

zep516

susanrk
Original Author

susankarberg_sbcglobal_net

owbist

susanrk
Original Author

ravencajun Zone 8b TX

susanrk
Original Author

COMPANY

BUSINESS SERVICES

GET HELP

CONNECT WITH US

another trojan rootkit cw

Comments (21)

susanrkOriginal Author

Related Discussions

susanrkOriginal Author

susanrkOriginal Author

susanrkOriginal Author

susanrkOriginal Author

susanrkOriginal Author

susanrkOriginal Author

susanrkOriginal Author

susanrkOriginal Author

COMPANY

BUSINESS SERVICES

GET HELP

CONNECT WITH US

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author

susanrk
Original Author