Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safe mode registry keys missing and unfamiliar registry keys appear


  • This topic is locked This topic is locked
28 replies to this topic

#1 Averus

Averus

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 20 December 2009 - 02:25 PM

Hi. I've been having issues with popups and performance lately and my AVG and MBAM scans weren't finding anything so I tried booting into safe mode and scanning that way. Much to my dismay I found that in the middle of loading the partitions the computer would reset and I would get a black screen telling me that safe mode failed to boot and that I should try loading windows normally.

I opened up my regedit and low and behold, the SAFEBOOT subfolder is missing entirely. I'm not really comfortable poking around in the registry, the only experience I have with it is looking around. I really kinda need to have safe mode, but my computer didn't come with a cd that I've seen mention of for fixing this kind of thing. Is there a way I can just manually restore the missing registry keys by typing in the necessary information?

In addition, I noticed a few keys which don't seem like they are supposed to be there, I searched them in search engines but with no results. I've included the key and the information that comes up on the little side-panel when I click on the key in question.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\vijutafa
Name:(Default) Type: REG_SZ Data:(value not set)
Name:sinujehi Type: REG_BINARY Data: ( not sure if you need this bit, it's huge and would take forever to type out...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\vijutafa
Name:(Default) Type: REG_SZ Data:(value not set)
Name:liluwoza Type: REG_BINARY Data:89 0b 08 ed af 67 db 45 9f 1e 67 2a 66 0e a5 ad
Name:panawijo Type: REG_BINARY Data:6e 6b 73 66 30 30 30 33 37
Name:pawiwaye Type: REG_BINARY Data:9b 0d 03 00
Name:zijomoji Type: REG_BINARY Data:40 22 0f dc de 9d 11 de a3 37 20 00 91 ff ff f0

I would like to simply delete these mysterious keys but I'm not sure if that would screw up my computer or not, so I figured I would give what information I had and go from there. I haven't noticed any other suspicious keys, but I haven't really looked either. AVG found nothing last night and MBAM ( just updated last night ) found nothing this morning. Other than safe mode not working, my only issues are browser redirects from my google and yahoo searches and much slower than normal operation, especially MBAM and the internet ( I use firefox 2.5 or 3, I don't remember which ).

I think I've included everything, I hope I've given you guys enough to help me. Any help would be appreciated as I am WAY out of my league here.

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:32 AM

Posted 20 December 2009 - 03:15 PM

If your system is functioning normally...I would suggest that you stop fiddling with the registry.

If you persist in doing such, I can only hope that you have backed up the registry.

ERUNT Registry Backup Tool - http://www.snapfiles.com/get/erunt.html

Using regedit in Windows Registry - http://mikescomputerinfo.com/xpregistry.htm. You will note that it clearly indicates that advanced users (those who feel comfortable and who are somewhat careful and knowledgeable is the way that I translate that phrase...are the persons such links are directed to.

Louis

#3 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:32 PM

Posted 20 December 2009 - 03:56 PM

I've been having issues with popups and performance lately and my AVG and MBAM scans weren't finding anything .............. the SAFEBOOT subfolder is missing entirely. ............. Other than safe mode not working, my only issues are browser redirects from my google and yahoo searches and much slower than normal operation, especially MBAM and the internet ( I use firefox .... ).

How about I request a Moderator to move this thread into the "Am I Infected?" forum area, where the malware issues can be addressed. Is that OK with you?

Removing the malware will take care of the browser redirects and pop-ups, and is likely to fix the "slowness" too. It might also take care of those "mysterious" registry entries.

Re: "SAFEBOOT subfolder is missing entirely"
Replacing the SafeBoot registry key with a working version is not a problem.

First, we should make a start on removing the malware. In order to do that, we need your thread to be in the "Am I Infected?" forum.
Please let me know if you wish to proceed as I have suggested, and then we can begin.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 20 December 2009 - 04:29 PM

If you feel moving this to the "Am I Infected" forum would be better for helping me out, then by all means, please do.

I know there is malware of somekind or another on my computer, the problem is my programs aren't detecting it. I was hoping that if I scanned it in safe mode I would be able to pick them up and clean them out as this has worked for me in the past, but unfortunately my safe mode has been deleted from my registry so I can't do that. Also, as I suspected, my system restore doesn't work either, but then again nothing can ever be done the easy way can it?

Anyway, have this thread moved if you think it's best and I'll pick up from there. Thanks for your help so far!

#5 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:32 PM

Posted 20 December 2009 - 06:39 PM

I have requested that this thread be moved, so simply continue posting in this same thread.

Let's see if you can do the following, and get some logs to look at ...
Please use the instructions provided in post #2 by garmanma at the following link, to run MBAM (Quick Scan), ATF Cleaner, SAS and Dr.Web CureIt!
http://www.bleepingcomputer.com/forums/ind...t&p=1499922

*Remember to update MBAM & SAS before running each scan.
If you can't access Safe Mode, when the instructions call for doing so, just use Windows in normal mode.
Remove all problems found: Then post the logs from each of the scans (no log from ATF Cleaner).

Follow that up with a Full Scan by MBAM, and post the log from that too.

Edited by AustrAlien, 20 December 2009 - 06:41 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 21 December 2009 - 12:31 PM

Ok, I downloaded both SAS and Dr. Web Cureit! from cnet.com but I can't open them, I get an error message stating that they are not valid win32 applications. I DID run a quick scan with MBAM after updating it this morning and as I expected it found nothing. I have the log for you. Once I do a full scan, I'll post that too.

Malwarebytes' Anti-Malware 1.42
Database version: 3403
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/21/2009 9:28:43 AM
mbam-log-2009-12-21 (09-28-43).txt

Scan type: Quick Scan
Objects scanned: 139931
Time elapsed: 15 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 21 December 2009 - 04:09 PM

Shortly after my previous post I had an outbreak of new symptoms so I disconnected my wireless router and ram a full scan with MBAM, here is the log it was quite a doozy:

Malwarebytes' Anti-Malware 1.42
Database version: 3403
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/21/2009 11:42:39 AM
mbam-log-2009-12-21 (11-42-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195373
Time elapsed: 1 hour(s), 21 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 13
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> No action taken.
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\winsts (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skmtwe (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> No action taken.
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> No action taken.
C:\ogstiuu.exe (Trojan.Inject) -> No action taken.
C:\waxfhosk.exe (Trojan.FakeAlert) -> No action taken.
C:\wxis.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\A4PKQEDW\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZYUPQXO2\w[1].bin (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP848\A0132969.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP848\A0132998.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP850\A0134061.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP852\A0134094.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\AVR10.exe (Rogue.InternetSecurity2010) -> No action taken.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\msfaafta.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\winlogon86.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\winsts.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\kkuskufs.tmp (Backdoor.Bot) -> No action taken.
C:\WINDOWS\irc.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> No action taken.


I also ran AVG immediately after. It only found one thing but I saved a log for it anyway.

"Scan ""Scan whole computer"" was finished."
"Infections";"1";"1";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Monday, December 21, 2009, 11:45:03 AM"
"Scan finished:";"Monday, December 21, 2009, 12:44:48 PM (59 minute(s) 44 second(s))"
"Total object scanned:";"331714"


"Infections"
"File";"Infection";"Result"
"C:\nbhfy.exe";"Trojan horse SHeur2.BZKT";"Moved to Virus Vault"

Afterward I restarted the computer and reconnected my internet, but I'm still getting pop ups, and attempted browser redirects. My firewall is up, doesn't allow exceptions and my pop-up blocker is still turned on. I have all of firefox's security settings maxed out ( I think ). I'm not sure what else to do from here.

#8 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:32 PM

Posted 21 December 2009 - 05:11 PM

Please run MBAM again ...
Update MBAM, disconnect from the internet, and run another "Full Scan".
Remove everything it finds, and then post the resulting log.

I would really like you to run Dr.Web CureIt! at this time.
Please try this ...
Delete the existing Dr.Web CureIt! file that you previously downloaded.
Download a fresh copy of Dr.Web CureIt! from here and attempt to run it using garmanma's instructions.
Post the log.

Edited by AustrAlien, 21 December 2009 - 05:13 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 21 December 2009 - 10:16 PM

I ran MBAM again, another full scan but this time it didn't find anything at all; here is the log:

Malwarebytes' Anti-Malware 1.42
Database version: 3403
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/21/2009 6:52:40 PM
mbam-log-2009-12-21 (18-52-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 186247
Time elapsed: 1 hour(s), 20 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I deleted my previous download of Dr. Web Cureit and I followed the instructions from the other post you mentioned. I renamed the file, I changed the file extension, but no matter which extension I tried I always got the same result. I can't open it or run it, an error window pops up saying that the file is not a valid win32 application everytime. I get the same error with every new program I download.

#10 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:32 PM

Posted 22 December 2009 - 03:43 AM

an error window pops up saying that the file is not a valid win32 application everytime. I get the same error with every new program I download.

In view of your above comment, and the following ...
quietman7 has previously written: "The error message "Not a valid Win32 application" can be symptomatic of a serious malware infection (Win32.Beagle/W32.Bagle) which disables anti-virus and security tools. It also deletes the Safeboot keys and adds a hidden service and a dangerous rootkit which can be difficult to remove as well as compromises the affected machine to other malware attacks. Depending on how badly you are infected we may or may not be able to deal with it in this forum."
Source: http://www.bleepingcomputer.com/forums/ind...t&p=1261800
I have asked quietman7 to have a look at your thread and suggest the best way forward for you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:32 PM

Posted 22 December 2009 - 07:35 AM

Averus

I came across a current thread in which the OP has a similar problem to you.
Can not start XP in Safe Mode, "Not a Valid Win32 Application" ..... Pacho25
http://www.bleepingcomputer.com/forums/t/279155/can-not-start-xp-in-safe-mode-not-a-valid-win32-application/

Some progress has been made in that thread, and I am wondering if you might also make some progress by following the steps suggested. To that end, I will suggest that you attempt an on-line scan with Eset following the instructions provided by rigel in post #2 at the following link ...
http://www.bleepingcomputer.com/forums/ind...t&p=1538883

I do not know if or when quietman7 will be available, so this will be a good move in the meantime.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 AM

Posted 22 December 2009 - 08:52 AM

I was out of town conducting training last week and came home just in time for a weekend long snow storm. I spent two days digging us out (two feet deep) so we could get to the roadway. Went to work yesterday to play catch up on what I missed, then had to leave early as I came down with some kind of cold bug. Looks like meds, hot tea and bed will be my highlights the next few days. I checked my email before going back to bed and found the PM from AustrAlien asking me to look in on this topic.

As already has been noted some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot into safe mode. The malware can also mess with your system restore's functionality. This appears to be what has happened in your case as your system is heavily infected.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component and others were related to backdoor Trojans/Bots. Backdoor Trojans, rootkits, Botnets and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. As such, I recommend you do the following.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 22 December 2009 - 08:18 PM

I managed to run the Eset online scanner and it found 5 threats. Unfortunately, I don't have a log despite having followed Rigel's instructions to the letter. When going to Start and Run I get an error that says

C:\Program Files\EsetOnlineScanner\log.txt refers to a locations that is unavailable. It could be on a hard drive on this computer or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet, or your network, and then try again. If it still cannot be located then the information might have been moved to a different location.

I tried this before being given the option to uninstall after closing the program. I DID write down the threats that were found, however, I just don't know WHERE they were found. I have them here:

Win32/Refpron.DJ trojan
Win32/Kryptik.BKV trojan
Win32/Kryptik.BKV trojan
Win32/Kryptik.BKV trojan

(all 4 were variants )

and

Win32/TrojanDownloader.FakeAlert.AED virus

I've scanned it again since this morning and it came out clean, though I still couldn't figure out how to get a log from it. What should I do now? I'll go ahead and download HJT, though I'll probably have the same inability to run it that I've had with all of the other programs I've downloaded recently.

I've noticed the icons on my desktop have changed back to the way they used to look, though I've still been unable to reinstall my safeboot file in the registry ( I found a zip file that I double click and it adds it to the registry for me, but it seems to get deleted as soon as it is added, or it is somehow prevented from being added in the first place ), so I'm not quite out of the woods yet, but I've finally made some progress after 3 days. I'm kinda scared to scan my computer or do anything until I hear from you guys as to what I should do next, I don't want to lose what little progress I've made.

Edited by Averus, 22 December 2009 - 08:34 PM.


#14 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:32 PM

Posted 22 December 2009 - 09:26 PM

I'll go ahead and download HJT, though I'll probably have the same inability to run it that I've had with all of the other programs I've downloaded recently.

If you have any problems completing the required steps in the "Preparation Guide For Use Before Posting A Hijackthis Log", please post here (in this thread) and let us know what is happening/ask for assistance .... but do NOT post here any of the logs that you are preparing for the Malware Removal forum. When you have all the information that is required, you can then post to the Malware Removal forum.

Be aware that if you choose to proceed to the "Preparation Guide For Use Before Posting A Hijackthis Log" and then post to the Malware Removal forum, you may have a wait of up to two weeks before you receive assistance: They are very busy.

Try using Windows Explorer to navigate to the location
C:\Program Files\EsetOnlineScanner\log.txt
and then copy the file "log.txt" and paste a copy on your Desktop, open it with Notepad and copy/paste the entire contents in your next post here, in this thread.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 Averus

Averus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 22 December 2009 - 10:41 PM

Hey, it actually worked! Thanks for the tip, I don't know why I didn't think to try it that way. The log seems to contain info for both of the scans I did so here it is:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0044c10a05680e469b2b1aee36bd981c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-22 06:53:23
# local_time=2009-12-22 10:53:23 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777175 100 0 47417035 47417035 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55377
# found=5
# cleaned=5
# scan_time=3459
C:\oqnqso.exe a variant of Win32/Refpron.DJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator.MAY_CHI.000\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.19718 a variant of Win32/Kryptik.BKV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Sephiroth\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.46360 a variant of Win32/Kryptik.BKV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Sephiroth\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92858 a variant of Win32/Kryptik.BKV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0044c10a05680e469b2b1aee36bd981c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-23 12:55:26
# local_time=2009-12-22 04:55:26 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777175 100 0 47437516 47437516 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55601
# found=0
# cleaned=0
# scan_time=4699

I haven't downloaded HJT yet, mostly because I'm pretty sure it won't open as I still can't open Dr. Web Cureit either, even after changing the file and extention again, though perhaps if I delete it and redownload it MAY work this time ( but I doubt it ). Do you think disconnecting my internet and scanning again with MBAM and AVG would hurt? I don't want to use my browser or download anything if I don't have to, at least until I'm a little more convinced that it's safe. I've never had an infection this bad before, so I'll just go with whatever you guys think is best as I am in far over my head on my own.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users