Rootx
asked on
probably infected - HijackThis Log
hello
i noticed yesterday that firefox were running with out my privilege
i did some scanning
HijackThis :http://pastebin.com/6pLBkZSj
avira : http://pastebin.com/RaLEGVXQ
Malwarebytes' Anti-Malware: http://pastebin.com/rj1J6U6y
thank you
i noticed yesterday that firefox were running with out my privilege
i did some scanning
HijackThis :http://pastebin.com/6pLBkZSj
avira : http://pastebin.com/RaLEGVXQ
Malwarebytes' Anti-Malware: http://pastebin.com/rj1J6U6y
thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do these instead.....
reg query "HKCU\Software\Microsoft\W indows\Cur rentVersio n\Internet Settings" /v proxyenable
reg query "HKCU\Software\Microsoft\W
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit>reg.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell>>reg.txt
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v proxyenable>>reg.txt
notepad reg.txt
echo
ASKER
HKEY_LOCAL_MACHINE\SOFTWAR
Userinit REG_SZ C:\Windows\system32\userin
HKEY_LOCAL_MACHINE\SOFTWAR
shell REG_SZ explorer.exe
HKEY_CURRENT_USER\Software
proxyenable REG_DWORD 0x0
the output
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
johnb6767,
the asker already used Malwarebyte's and posted a scan log in his opening post.
This log, as well as the HJT log, is clean, as I noted in my comment.
TDSSKiller is a good suggestion, as is Combofix which I recommended.
However, in my view there is little to no proof that we are indeed dealing with a malware infection. The information given is too scarce, and the scan logs are extraordinarily clean.
the asker already used Malwarebyte's and posted a scan log in his opening post.
This log, as well as the HJT log, is clean, as I noted in my comment.
TDSSKiller is a good suggestion, as is Combofix which I recommended.
However, in my view there is little to no proof that we are indeed dealing with a malware infection. The information given is too scarce, and the scan logs are extraordinarily clean.
ASKER
well i'm in HUGE trouble now i tried TDSSKiller and get this:
AeFilter is Faronics anti-executable , i chose to remove them then i rebooted and my mouse and the key-bored stop working , tried the safe-mode , etc the same
the windows loods fine , windows ultimate 7 64bit
any help guys:(
2011/01/11 16:06:31.0043 ================================================================================
2011/01/11 16:06:31.0043 Scan finished
2011/01/11 16:06:31.0043 ================================================================================
2011/01/11 16:06:31.0050 Detected object count: 3
2011/01/11 16:07:11.0106 HKLM\SYSTEM\ControlSet001\services\AeFilter - will be deleted after reboot
2011/01/11 16:07:11.0113 HKLM\SYSTEM\ControlSet002\services\AeFilter - will be deleted after reboot
2011/01/11 16:07:11.0123 C:\Windows\system32\DRIVERS\AeFilter.sys - will be deleted after reboot
2011/01/11 16:07:11.0123 Locked service(AeFilter) - User select action: Delete
2011/01/11 16:07:11.0126 HKLM\SYSTEM\ControlSet001\services\AeKbd6 - will be deleted after reboot
2011/01/11 16:07:11.0126 HKLM\SYSTEM\ControlSet002\services\AeKbd6 - will be deleted after reboot
2011/01/11 16:07:11.0128 C:\Windows\system32\DRIVERS\AeKbd.sys - will be deleted after reboot
2011/01/11 16:07:11.0128 Locked service(AeKbd6) - User select action: Delete
2011/01/11 16:07:11.0130 HKLM\SYSTEM\ControlSet001\services\AeMouse6 - will be deleted after reboot
2011/01/11 16:07:11.0131 HKLM\SYSTEM\ControlSet002\services\AeMouse6 - will be deleted after reboot
2011/01/11 16:07:11.0133 C:\Windows\system32\DRIVERS\AeMouse.sys - will be deleted after reboot
2011/01/11 16:07:11.0133 Locked service(AeMouse6) - User select action: Delete
2011/01/11 16:07:29.0755 Deinitialize success
AeFilter is Faronics anti-executable , i chose to remove them then i rebooted and my mouse and the key-bored stop working , tried the safe-mode , etc the same
the windows loods fine , windows ultimate 7 64bit
any help guys:(
ASKER
notice: ae wasn't fully working , it wasn;'t showing in task manager or the icon
now i'm using live cd ubuntu linux , so i can remove anything
now i'm using live cd ubuntu linux , so i can remove anything
Security software and cleaners can do just as much harm to a system as malware can, if not more. They have to be operated with extreme care. If you knew that those files belong to an application you had installed, and a system critical one too, I don't understand why you chose to have them removed.
Try the System Restore feature from the Win7 installation DVD as described here in "METHOD TWO": http://www.sevenforums.com/tutorials/700-system-restore.html
This should restore the registry keys and system files; however, I do not know whether "system file" applies to third-party software as well. So Aefilter.sys and Aekbd.sys may still be missing after the restore, hence continuing to render your input hardware inoperable.
In that case, easiest might be to get those two files from another machine with this software installed and copy them manually to C:\Windows\system32\DRIVER S\. You may also find them in a backup.
I advise to not use the Ubuntu live CD for this. Since Ubuntu uses file permissions, but does not have a root user, there is a slight chance you could run into permission issues with the copied files. Instead, use this specialized Linux live CD: www.partedmagic.com
Try the System Restore feature from the Win7 installation DVD as described here in "METHOD TWO": http://www.sevenforums.com/tutorials/700-system-restore.html
This should restore the registry keys and system files; however, I do not know whether "system file" applies to third-party software as well. So Aefilter.sys and Aekbd.sys may still be missing after the restore, hence continuing to render your input hardware inoperable.
In that case, easiest might be to get those two files from another machine with this software installed and copy them manually to C:\Windows\system32\DRIVER
I advise to not use the Ubuntu live CD for this. Since Ubuntu uses file permissions, but does not have a root user, there is a slight chance you could run into permission issues with the copied files. Instead, use this specialized Linux live CD: www.partedmagic.com
ASKER
i tired System Restore, also i coudn't find Aefilter.sys and Aekbd.sys , :(
>> "i coudn't find Aefilter.sys and Aekbd.sys"
Well, you will most likely not be able to find those files on the machine in question, unless you made some system backups - as is always advisable.
That's why I suggested to install the Faronics program on another computer, then get the files from there.
Please note that the problem we are now speaking about has got nothing to do with the issue addressed in the original topic of this thread; it therefore should be dealt with in a separate question.
Well, you will most likely not be able to find those files on the machine in question, unless you made some system backups - as is always advisable.
That's why I suggested to install the Faronics program on another computer, then get the files from there.
Please note that the problem we are now speaking about has got nothing to do with the issue addressed in the original topic of this thread; it therefore should be dealt with in a separate question.
"the asker already used Malwarebyte's and posted a scan log in his opening post.
This log, as well as the HJT log, is clean, as I noted in my comment."
Yea, I know, I deleted the wrong one from my KB entry... Thanks....
"However, in my view there is little to no proof that we are indeed dealing with a malware infection. The information given is too scarce, and the scan logs are extraordinarily clean. "
Thats the reason I had suggested Dr Web Cureit, as it detects some of the TDSS variants that do this exact behaviour, that TDSSKiller doesnt detect.....
This log, as well as the HJT log, is clean, as I noted in my comment."
Yea, I know, I deleted the wrong one from my KB entry... Thanks....
"However, in my view there is little to no proof that we are indeed dealing with a malware infection. The information given is too scarce, and the scan logs are extraordinarily clean. "
Thats the reason I had suggested Dr Web Cureit, as it detects some of the TDSS variants that do this exact behaviour, that TDSSKiller doesnt detect.....
johnb6767,
I read your remark about Dr Web Cureit with much interest. I always thought this was a somewhat underrated scanner, so it's good to know how to put it to some use.
I read your remark about Dr Web Cureit with much interest. I always thought this was a somewhat underrated scanner, so it's good to know how to put it to some use.
Rootx,
I must object against the proposed deletion of this thread.
Qoute: "well , it wont help anyone , it will just make more problems" -
this is absolutely no acceptable reason for having a question deleted that was actually answered.
Please check your OP again: We are here in the "HijackThis" zone, you posted some scan logs and wanted them reviewed because of a possible infection.
I did just this: I checked your logs, found them to be exceptionally clean, told you there was no sign of an infection in these logs, suggested to try alternative scanners or to post a new question (in the appropriate Windows or Software zones) about the issue that made you assume an infection in the first place.
Your original question was answered fully, and needs to be closed in accordance with the Experts-Exchange terms of use, not deleted.
I must object against the proposed deletion of this thread.
Qoute: "well , it wont help anyone , it will just make more problems" -
this is absolutely no acceptable reason for having a question deleted that was actually answered.
Please check your OP again: We are here in the "HijackThis" zone, you posted some scan logs and wanted them reviewed because of a possible infection.
I did just this: I checked your logs, found them to be exceptionally clean, told you there was no sign of an infection in these logs, suggested to try alternative scanners or to post a new question (in the appropriate Windows or Software zones) about the issue that made you assume an infection in the first place.
Your original question was answered fully, and needs to be closed in accordance with the Experts-Exchange terms of use, not deleted.
Yea, I was leary about it at first, but as a last resort it found the little bugger I as looking for....... ALbeit it was slowwwwwww, but effective......
Havent used it too much because of the speed issues, but I have it handy if need be. I do most of my malware/vbirus removals by hand, and let mbam do a followup scan to pick up a few her and theres I miss.....
And I agree with the Objection as well.....
Havent used it too much because of the speed issues, but I have it handy if need be. I do most of my malware/vbirus removals by hand, and let mbam do a followup scan to pick up a few her and theres I miss.....
And I agree with the Objection as well.....
I am restarting the auto-close procedure on behalf of the question asker. After Moderator review, the new disposition seems to be more appropriate to the outcome of this question.
- thermoduric -
EE Community Support Moderator
https://www.experts-exchange.com/questions/26745862/17-Jan-11-18-Automated-Request-for-Review-Objection-to-Delete-Q-26701264.html
- thermoduric -
EE Community Support Moderator
https://www.experts-exchange.com/questions/26745862/17-Jan-11-18-Automated-Request-for-Review-Objection-to-Delete-Q-26701264.html
Start>run>cmd
Paste the following lines.....
Open in new window