probably infected - HijackThis Log

hello
i noticed yesterday that firefox were running with out my privilege

i did some scanning
HijackThis :http://pastebin.com/6pLBkZSj
avira : http://pastebin.com/RaLEGVXQ
Malwarebytes' Anti-Malware: http://pastebin.com/rj1J6U6y
thank you
RootxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

torimarCommented:
You may have noticed yourself: These logs are clean, very clean indeed.

If you still want to double-check, you may additionally try:

Hitman Pro: http://www.surfright.nl/en
Combofix: http://www.bleepingcomputer.com/download/anti-virus/combofix
(Please read the instructions carefully: http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

But I'd venture to say that your "probably infected" system is probably not infected.

If the issue trouble you, turn to the Firefox and respective Windows zone here on EE and ask for explanations of what has happened. And please elaborate, because "running without my privilege" is not easily understood.
johnb6767Commented:
paste the output of the following please.....

Start>run>cmd

Paste the following lines.....


reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit>reg.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell>>reg.txt
notepad reg.txt
echo

Open in new window

johnb6767Commented:
Do these instead.....

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v proxyenable
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit>reg.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell>>reg.txt
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v proxyenable>>reg.txt
notepad reg.txt
echo

Open in new window

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

RootxAuthor Commented:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    shell    REG_SZ    explorer.exe


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    proxyenable    REG_DWORD    0x0

the output
johnb6767Commented:
Id Followup with TDSSKiller.....

How to remove malware belonging to the family Rootkit.Win32.TDSS ...
http://support.kaspersky.com/viruses/solutions?qid=208280684

More importantly, Dr. Web Cureit. There is a TDSS variant that TDSSKiller.exe will not even detect, that spawns NON visible browser windows......

Dr. Web Cureit
http://www.freedrweb.com/cureit/?lng=en

MalwareBytes - Good for regular cleanup scans....
http://www.malwarebytes.org

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
torimarCommented:
johnb6767,

the asker already used Malwarebyte's and posted a scan log in his opening post.
This log, as well as the HJT log, is clean, as I noted in my comment.

TDSSKiller is a good suggestion, as is Combofix which I recommended.

However, in my view there is little to no proof that we are indeed dealing with a malware infection. The information given is too scarce, and the scan logs are extraordinarily clean.
RootxAuthor Commented:
well i'm in HUGE trouble now  i tried TDSSKiller and get this:
2011/01/11 16:06:31.0043	================================================================================

2011/01/11 16:06:31.0043	Scan finished

2011/01/11 16:06:31.0043	================================================================================

2011/01/11 16:06:31.0050	Detected object count: 3

2011/01/11 16:07:11.0106	HKLM\SYSTEM\ControlSet001\services\AeFilter - will be deleted after reboot

2011/01/11 16:07:11.0113	HKLM\SYSTEM\ControlSet002\services\AeFilter - will be deleted after reboot

2011/01/11 16:07:11.0123	C:\Windows\system32\DRIVERS\AeFilter.sys - will be deleted after reboot

2011/01/11 16:07:11.0123	Locked service(AeFilter) - User select action: Delete 

2011/01/11 16:07:11.0126	HKLM\SYSTEM\ControlSet001\services\AeKbd6 - will be deleted after reboot

2011/01/11 16:07:11.0126	HKLM\SYSTEM\ControlSet002\services\AeKbd6 - will be deleted after reboot

2011/01/11 16:07:11.0128	C:\Windows\system32\DRIVERS\AeKbd.sys - will be deleted after reboot

2011/01/11 16:07:11.0128	Locked service(AeKbd6) - User select action: Delete 

2011/01/11 16:07:11.0130	HKLM\SYSTEM\ControlSet001\services\AeMouse6 - will be deleted after reboot

2011/01/11 16:07:11.0131	HKLM\SYSTEM\ControlSet002\services\AeMouse6 - will be deleted after reboot

2011/01/11 16:07:11.0133	C:\Windows\system32\DRIVERS\AeMouse.sys - will be deleted after reboot

2011/01/11 16:07:11.0133	Locked service(AeMouse6) - User select action: Delete 

2011/01/11 16:07:29.0755	Deinitialize success

Open in new window


AeFilter is  Faronics anti-executable  , i chose to remove them then i rebooted and my mouse and the key-bored stop working , tried the safe-mode , etc the same
the windows loods fine , windows ultimate 7 64bit
any help guys:(
RootxAuthor Commented:
notice: ae wasn't fully working , it wasn;'t showing in task manager or the icon
now i'm using live cd ubuntu linux , so i can remove anything
torimarCommented:
Security software and cleaners can do just as much harm to a system as malware can, if not more. They have to be operated with extreme care. If you knew that those files belong to an application you had installed, and a system critical one too, I don't understand why you chose to have them removed.

Try the System Restore feature from the Win7 installation DVD as described here in "METHOD TWO": http://www.sevenforums.com/tutorials/700-system-restore.html
This should restore the registry keys and system files; however, I do not know whether "system file" applies to third-party software as well. So Aefilter.sys and Aekbd.sys may still be missing after the restore, hence continuing to render your input hardware inoperable.
In that case, easiest might be to get those two files from another machine with this software installed and copy them manually to C:\Windows\system32\DRIVERS\. You may also find them in a backup.

I advise to not use the Ubuntu live CD for this. Since Ubuntu uses file permissions, but does not have a root user, there is a slight chance you could run into permission issues with the copied files. Instead, use this specialized Linux live CD: www.partedmagic.com
RootxAuthor Commented:
i tired System Restore, also i coudn't find Aefilter.sys and Aekbd.sys , :(
torimarCommented:
>> "i coudn't find Aefilter.sys and Aekbd.sys"

Well, you will most likely not be able to find those files on the machine in question, unless you made some system backups - as is always advisable.
That's why I suggested to install the Faronics program on another computer, then get the files from there.

Please note that the problem we are now speaking about has got nothing to do with the issue addressed in the original topic of this thread; it therefore should be dealt with in a separate question.
johnb6767Commented:
"the asker already used Malwarebyte's and posted a scan log in his opening post.
This log, as well as the HJT log, is clean, as I noted in my comment."

Yea, I know, I deleted the wrong one from my KB entry... Thanks....

"However, in my view there is little to no proof that we are indeed dealing with a malware infection. The information given is too scarce, and the scan logs are extraordinarily clean. "

Thats the reason I had suggested Dr Web Cureit, as it detects some of the TDSS variants that do this exact behaviour, that TDSSKiller doesnt detect.....
torimarCommented:
johnb6767,

I read your remark about Dr Web Cureit with much interest. I always thought this was a somewhat underrated scanner, so it's good to know how to put it to some use.
torimarCommented:
Rootx,

I must object against the proposed deletion of this thread.

Qoute: "well , it wont help anyone , it will just make more problems" -
this is absolutely no acceptable reason for having a question deleted that was actually answered.

Please check your OP again: We are here in the "HijackThis" zone, you posted some scan logs and wanted them reviewed because of a possible infection.
I did just this: I checked your logs, found them to be exceptionally clean, told you there was no sign of an infection in these logs, suggested to try alternative scanners or to post a new question (in the appropriate Windows or Software zones) about the issue that made you assume an infection in the first place.

Your original question was answered fully, and needs to be closed in accordance with the Experts-Exchange terms of use, not deleted.
johnb6767Commented:
Yea, I was leary about it at first, but as a last resort it found the little bugger I as looking for....... ALbeit it was slowwwwwww, but effective......

Havent used it too much because of the speed issues, but I have it handy if need be. I do most of my malware/vbirus removals by hand, and let mbam do a followup scan to pick up a few her and theres I miss.....

And I agree with the Objection as well.....
thermoduricModeratorCommented:
I am restarting the auto-close procedure on behalf of the question asker. After Moderator review, the new disposition seems to be more appropriate to the outcome of this question.

- thermoduric -
EE Community Support Moderator
http://www.experts-exchange.com/Q_26745862.html

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.