Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit/Trojan Infection--Norton Logs May Tell More


  • Please log in to reply

#16
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
BitDefender reports no infection found. I am going to reboot and rerun ESET just to be sure nothing has repropogated.
  • 0

Advertisements


#17
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
On reboot I got the autocheck error again. This time I snapped a pic with my phone. The message reads:

\SystemRoot\windows\System32\AutoChk.exe program not found - skipping AUTOCHECK

Then system finishes booting.

I though I might Google this one but I don't want to act contrary to any instruction from you. I am going to rerun ESET before taking any other action.

D

Edited by dolsson, 30 October 2011 - 06:40 PM.

  • 0

#18
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
An old MajorGeeks thread offers a registry patch to resolve the autocheck issue:

http://forums.majorg...ad.php?t=146035

The only other solution I've seen is a Windows repair install--not something I'd like to do. Do you have a suggestion?

My second ESET scan is now about half done. I set it to scan archives and look for unsafe applications so it's taking a bit longer.

Edited by dolsson, 30 October 2011 - 07:51 PM.

  • 0

#19
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Okay, the only thing ESET found this time was:

C:\Documents and Settings\David Olsson\My Documents\Downloads\cdbxp_setup_4.3.7.2356.exe Win32/OpenCandy application deleted - quarantined

So now I am done, I think, apart from trying to solve that autocheck problem. Would you recommend the registry patch referenced in the previous post?

D
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f

I'm not sure why we are getting the autochk error. It's normally something that isn't there. We usually see something like this is a good log:

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

In your case we had this really strange thing:

O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (a)
O34 - HKLM BootExecute: (u)
O34 - HKLM BootExecute: (t)
O34 - HKLM BootExecute: (o)
O34 - HKLM BootExecute: ©
O34 - HKLM BootExecute: (h)
O34 - HKLM BootExecute: (k)
O34 - HKLM BootExecute: (*)

Which combofix said looked like this in the registry:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0a\0u\0t\0o\0c\0h\0k\0 \0*

Follow the instructions here: http://ask-leo.com/h...y_start_up.html

and make it look just like

autocheck autochk *

OK.

Reboot. IF that doesn't help then look in

[HKEY_Current_User\system\currentcontrolset\control\session manager]

and if it exists do the same thing.

If that helps then I think we are done.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#21
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Okay, I set new restore point and deleted old ones. Then I backed up the registry and went to change the autocheck setting. But this branch of the registry does not exist:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute.

I scanned the registry for both "bootexecute" and "autocheck" but neither gave me any useful result.

I have attached a pic of the session manager branch of the directory so you can see for yourself.

D

PS: Also no luck in the HKEY_CURRENTUSER branch.

Attached Thumbnails

  • reg_pic_LR.jpg

Edited by dolsson, 31 October 2011 - 10:30 AM.

  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
I've attached a file called be.txt. Download and Save it then right click on it and rename it to be.reg. Then OK and double click on it and allow it to merge.

If it works it should create the BootExecute value and it should read autocheck autochk *

Ron
  • 0

#23
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Bingo! I think that's it. I have uninstalled most of the programs we used and will be making a final restore point, then creating a new Acronis disk image.

Do you think I need to uninstall malwarebytes; will it conflict with the Norton Security Suite?

Apart from that, I'll review your final instructions and act accordingly.

Ron, thank you so much for your help. You and your colleagues are angels of the Internet. :)

Best wishes,
D
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
You can leave MBAM. Unless you pay for it it will not update on its own but you can run it once in a while and let it update before it scans.

This is my standard goodbye speech. If you run the OTL Cleanup it will probably also remove MBAM. If you don't run it then delete the folder C:\_OTL to get rid of any files we had it remove. You will probably need to Hide the hidden files again but that's in the instructions.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#25
dolsson

dolsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks again, Ron, I will consider this thread closed.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP