Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


rstrui.exe (Security.Hijack) keeps coming every reboot

  • This topic is locked This topic is locked
1 reply to this topic

#1 zarzelius


  • Members
  • 1 posts
  • Local time:11:52 AM

Posted 19 February 2014 - 12:24 PM

Afternoon all.
After having problems with both firefox and chrome crashing constantly and randomly, i decided to run eset online scanner to find a few trojans that were removed by the tool.Now i also used malwarebytes just in case and found this.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) 
This happens every time i reboot , and sometimes is 2 of them .The other one has the same name rstrui.exe but is located in a different registry key, ussually in wow64/.../image file execution options/rstrui.exe
Any help is apreciated !
Here is my dds txt file and i attached the needed file as well.
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.51.2
Run by Patry at 14:17:58 on 2014-02-19
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.54.1033.18.4094.2715 [GMT -3:00]
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
============== Pseudo HJT Report ===============
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [EPLTarget\P0000000000000000] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIIFA.EXE /EPT "EPLTarget\P0000000000000000" /M "XP-201 204 208 Series"
uRun: [office360] \Windows\Explorer.exe
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
TCP: NameServer =
TCP: Interfaces\{A1E40F01-3FAB-4588-86DA-F5F928ADCE23} : DHCPNameServer =
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-SSODL: WebCheck - <orphaned>
============= SERVICES / DRIVERS ===============
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-7-20 283064]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-11-16 238080]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-11-16 361984]
R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2013-9-8 179296]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2013-9-8 151648]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2013-7-19 46136]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-2-23 95760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2013-7-19 104048]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
SUnknown tsusbhub;tsusbhub; [x]
=============== Created Last 30 ================
2014-02-19 15:02:18 -------- d-sh--w- C:\$RECYCLE.BIN
2014-02-19 14:53:09 98816 ----a-w- C:\Windows\sed.exe
2014-02-19 14:53:09 256000 ----a-w- C:\Windows\PEV.exe
2014-02-19 14:53:09 208896 ----a-w- C:\Windows\MBR.exe
2014-02-19 14:47:40 -------- d-----w- C:\Users\Patry\AppData\Roaming\GetRightToGo
2014-02-19 12:22:06 -------- d-----w- C:\Program Files (x86)\ESET
2014-02-18 18:01:28 -------- d-----w- C:\ProgramData\Oracle
2014-02-18 18:01:15 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-18 17:57:10 -------- d-----w- C:\Windows\System32\appmgmt
2014-02-18 17:54:13 -------- d-----w- C:\Users\Patry\AppData\Local\Apps
2014-02-18 17:54:12 -------- d-----w- C:\Users\Patry\AppData\Local\Deployment
2014-02-18 16:30:00 -------- d-----w- C:\AdwCleaner
2014-02-18 16:29:20 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-02-18 12:30:36 -------- d-----w- C:\Users\Patry\AppData\Roaming\Malwarebytes
2014-02-18 12:30:23 -------- d-----w- C:\ProgramData\Malwarebytes
2014-02-18 12:30:22 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-02-18 12:30:22 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-18 10:40:59 -------- d-----w- C:\Users\Patry\AppData\Roaming\SUPERAntiSpyware.com
2014-02-18 10:40:35 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2014-02-18 10:40:35 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2014-02-12 22:55:23 -------- d-----w- C:\Program Files\CCleaner
2014-02-08 22:26:30 -------- d-----w- C:\Program Files (x86)\Resident Evil 6
2014-02-01 23:17:19 -------- d-----w- C:\Users\Patry\AppData\Local\MegaDownloader
2014-02-01 23:16:16 -------- d-----w- C:\Users\Patry\AppData\Local\Programs
2014-01-28 23:36:53 -------- d-----w- C:\Users\Patry\AppData\Roaming\uTorrent
==================== Find3M  ====================
2013-12-07 12:53:38 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2013-12-07 12:53:38 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2013-12-07 12:53:38 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2013-12-07 12:53:38 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
============= FINISH: 14:18:08,56 ===============

Attached Files

BC AdBot (Login to Remove)


#2 fireman4it


    Bleepin' Fireman

  • Malware Response Team
  • 13,505 posts
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:52 AM

Posted 19 February 2014 - 03:44 PM

I see you have started a Topic in another forum here. For this reason I will now close this topic. Having two different people help you has a potential for serious problems with your machine.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.



If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users