Jump to content


  • Content Count

  • Joined

  • Last visited

About Brooke

  • Rank
    Lunar Novice

Personal Information

  • Country
    Nothing Selected
  • OS
    None specified
  1. Uh, duh...Thanks. I'll check HJT for leads on dealing with the red items and try to digest the others as well. Obviously you've considered adding boilerplate recommendations for these things but decided against including them. A little later.......Reading returns from googling your log analysis implies all items (red and blue) should be removed with HJT. Please confirm and thanks, again.
  2. Thanks, no, no new issues. Those odd files are still in root C: two exes: rhlj and lcfdx, and another -858939365, no extension. The file modified dates are identical and right about when I became infected. Direct virus and spyware scans of them show nothing. Unless you advise otherwise I will delete. I was hoping you would look at the jht log file below if you did not look at the one above. But I really don't know what that entails and it is long and I am having no known issues. Logfile of HijackThis v1.99.1 Scan saved at 5:51:48 PM, on 2/12/2007 Platform: Windows XP SP2 (WinNT 5
  3. I did the rustbfix since I saw it at TC for a similar (to the ignorant) huy32 issue. Current pelog.txt: ************************* Rustock.b-fix -- By ejvindh ************************* Wed 02/07/2007 15:27:09.43 ******************* Pre-run Status of system ******************* Rootkit driver huy32 is found. Starting the unload-procedure.... Rustock.b-ADS attached to the System32-folder: :huy32.sys 70570 Total size: 70570 bytes. Attempting to remove ADS... system32: deleted 70570 bytes in 1 streams. Looking for Rustock.b-files in the Syste
  4. Will do. Gmer finished the second time. Log: GMER - [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2007-02-07 13:43:36 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT \??\C:\Programs - added\AVG AntiSpyware 7.5\guard.sys ZwOpenProcess SSDT \??\C:\Programs - added\AVG AntiSpyware 7.5\guard.sys ZwTerminateProcess INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys A944416D INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys
  5. RootkitRevealer hung twice on cleanup, or appeared to. Second run got further and exited OK. Allowed a log save, as follows: HKU\S-1-5-21-4275444482-3655707654-1986034232-1005\RemoteAccess\InternetProfile 8/2/2004 1:16 PM 21 bytes Data mismatch between Windows API and raw hive data. HKLM\SECURITY\Policy\Secrets\SAC* 9/3/2002 5:55 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 9/3/2002 5:55 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/7/2007 10:26 AM 80 bytes Data mismatch between Windows API and raw
  6. OK, Back to where I was, fairly clean...still wondering about those c:\ files. They remain. Re-deleted offender ctpmon at boot and ran smitfraudfix search and then clean at safe boot. It sems to have edited the hosts file as you advised, so that is done. RougeRemover Pro has been updated and a scan done, both automatically and manually: it says the system is immunized. Looking for a rootkit scanner as per smitfraudfix advice: "huy32 detected, use a Rootkit scanner." Thoughts on that one? Searches turn up "gmer." http://www.gmer.net/index.php
  7. Well...I may have re-opened some door. My malady has returned. I remembered running smitfraudfix and it having said it found nothing, but I went to root c: to see if I could find its report (rapport.txt). It was not there but two unknown exe files were: rhlj and lcfdx, and another -858939365, no extension.. In the process of searching for info on them I may have dbl clicked one. The file modified dates are identical and right about when I became infected. I'll try to get back to where I was moments ago......
  8. My prescription: 1. run smitfraudfix. 2. replace hosts file as below. 3. reimmunize with RogueRemover. 4. edit hosts file, changing all entries to except for the localhost entry. Meanwhile, thanks very much, Tarun. I won't gush about the lump in my gut, still present, which this issue has given me, and from which you have at some future point I hope, set me free.
  9. It's possible the file was hidden or certain search parameters were not able to find it as they may not have been selected. You found it though. I only mentioned that because I have probs with Windows search. There were no params listed, just find the file.ext on C: looking everywhere. Sometimes I do a search for files modified in some time period up to present, then do some work and do the search again assuming it would return previously listed files plus newly modified ones but it says no files found.. just a wee bit off-topic. Was Unlocker able to delete it? Unlocker nailed i
  10. DONE - uninstall AVG Free Anti-Virus. YES - you've run all of the scans in the Anti-Malware package? This file could be a source of problems. O4 - HKCU\..\Run: [ctpmon] ctpmon.exe Though Windows search failed to find it (why often so unreliable?), it was there, in: C:\WINDOWS\SYSTEM32 Do a search for ctpmon and once found you should delete it. If you are unable to delete it; you should use a program like Unlocker or FileASSASSIN. Fileassassin failed to delete it. (In fact I've got 2 of the icons (white X on red shield) now in my sys tray.) Unlocker found no locking handle. You sh
  11. Tarun, Since I followed your procedures rather than those prescribed at Malwarebytes, I'm posting here. My thread there is http://www.malwarebytes.org/forums/index.p...&#entry2172. (Would you prefer these logfiles as attachments?) Logfile of HijackThis v1.99.1 Scan saved at 8:52:01 AM, on 2/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDO
  • Create New...