Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Odd behaivior after using autorun by (Sysinternals), not sure if I am infected

  • Please log in to reply
3 replies to this topic

#1 ZzacH


  • Members
  • 4 posts
  • Local time:08:18 AM

Posted 19 July 2013 - 09:17 PM

Hi everybody, after running Autorun by Sysinternals in safe mode I experienced some odd behavior with my browsers (Firefox, Opera, Explorer), also Kaspersky Pure, and Zemana Antiloger.


I was following the tutorial, "How to remove a Trojan, Virus, Worm, or other Malware", and as I was saying above I was running Autorun in safe mode. I was giving all the tabs a once over when I came to the "BootExecute" tab. There are 9 entries,(I took a screen shot but can't figure out how to attach it),  one said autocheck but was invalid. The others are all strange symbols, maybe another language?, I don't know. Anyway they were all invalid as well, not really knowing if these entries were safe to delete I went ahead and did just that. After I deleted them I rebooted, signed on, and that's when all hell broke loose. I tried to go online first with Explorer and then Firefox and finally Opera all with the same results, unable to connect. I wish I had of took note of the error  messages but I panicked, and restored my system. But not before I received more error messages from my action center. Apparently my internet security/antivirus (Kaspersky Pure 3.0) was turned off. I tried to turn it back on through the action center prompt with negative results. Also my Zemana Anti-logger  was malfunctioning. That's as far as I got before I did a system restore.


My question is ,"Am I infected?"  I checked the BootExecute section again and all the same entries are back, if more info is needed I can certainly provide that.


I am on a windows 7 Ultimate 64bit SP1, Presario Compaq CQ56 Notebook. Kaspersky Pure 3.0 as my main Security, also Malwarebytes Pro and Zemana Anti-logger.


Thanks in advance,










BC AdBot (Login to Remove)


#2 GodfatherKing


  • Members
  • 587 posts
  • Gender:Male
  • Local time:02:18 PM

Posted 20 July 2013 - 03:13 AM

There is a possibility the services and startups have been damaged by the program (Autoruns), but it can be malware also. Try running first Rkill and then TDSSKiller. 


Running Rkill


RKill can be downloaded from the following location:


Please note that the other file names at the link above are RKill as well, but just renamed in order to allow it run by certain malware.

When RKill is run it will display a console screen similar to the one below:


That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.



Running TDSSKiller to obtain log


Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run


  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:

#3 ZzacH

  • Topic Starter

  • Members
  • 4 posts
  • Local time:08:18 AM

Posted 20 July 2013 - 06:09 PM

Can you tell me where in my c directory I would find the TDSSKiller scan log. I looked everywhere but can't see it. I can tell you the results, scan came up clean.

Kaspersky was giving me a hard time, Backdoor they claim, as the rkill page states as well, so I submitted the file for them to scan. I got their results back by email and they cleared it.anyways here's the results for rkill


The scan results for rKill are as follows


Rkill 2.5.7 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:

Program started at: 07/20/2013 06:52:41 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 07/20/2013 06:56:31 PM
Execution time: 0 hours(s), 3 minute(s), and 50 seconds(s)

#4 GodfatherKing


  • Members
  • 587 posts
  • Gender:Male
  • Local time:02:18 PM

Posted 21 July 2013 - 05:41 AM

Run again TDSSKiller and check if you can get a log in your C:\.


If you still can't find a log try running TDSSKiller again and choose after scanning "Report":



If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users