I tried running Rogue Killer by Tigzy during safe mode and it is frozen on "scan", but it is not scanning.
I can go to safe mode but cant get anyting to run from there. There are no icons on my desktop.
I got on-line thru the only application/folder I have,Dell Maintenance,and Malwarebytes Anti-Malware is running and has already found 6 infections. Lets see..
I ran Malwarebytes and then Rogue Killer and I have pasted their logs, below. I tried to go to system restore, but I have no applications or files listed under the dropdown menu when you hit start. So, I cant see any of my files. Comcast just sent me an email saying my PC may have a bot.
1/29/2012 3:27:37 PM
mbam-log-2012-01-29 (16-05-06).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 283439
Time elapsed: 37 minute(s), 4 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|jLyiTUCQBK.exe (Trojan.FakeAlert) -> Data: C:\Documents and Settings\All Users\Application Data\jLyiTUCQBK.exe -> No action taken.
Registry Data Items Detected: 9
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
C:\Documents and Settings\All Users\Application Data\jLyiTUCQBK.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\C9U3ZGZLBkSz2i.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Olen\Local Settings\Temp\fka0.9128312867719995.exe (Trojan.FakeMS) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\~!#3.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\~!#5.tmp (Spyware.Password) -> No action taken.
(end)
RogueKiller V4.0.0 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Time : 29/01/2012 16:11:14
Bad processes: 0
Registry Entries: 0
HOSTS File:
Finished
1-3-12 Please tell me what to do next to ensure that the virus is still not in my PC, also I need to know how to restore my files, applications,etc. I ran Avira's scanner last night and below is the log.
Avira AntiVir Personal
Report file date: Sunday, January 29, 2012 18:42
Scanning for 3323984 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DIGITEK-K1W53MR
Version information:
BUILD.DAT : 10.2.0.704 35934 Bytes 9/28/2011 13:34:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 6/30/2011 10:19:36
AVSCAN.DLL : 10.0.5.0 47464 Bytes 6/30/2011 10:19:36
LUKE.DLL : 10.3.0.5 45416 Bytes 6/30/2011 10:19:37
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 6/30/2011 10:19:37
AVREG.DLL : 10.3.0.9 88833 Bytes 7/14/2011 21:58:07
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 19:42:52
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 00:00:13
VBASE003.VDF : 7.11.19.171 2048 Bytes 12/20/2011 00:00:13
VBASE004.VDF : 7.11.19.172 2048 Bytes 12/20/2011 00:00:14
VBASE005.VDF : 7.11.19.173 2048 Bytes 12/20/2011 00:00:14
VBASE006.VDF : 7.11.19.174 2048 Bytes 12/20/2011 00:00:14
VBASE007.VDF : 7.11.19.175 2048 Bytes 12/20/2011 00:00:14
VBASE008.VDF : 7.11.19.176 2048 Bytes 12/20/2011 00:00:14
VBASE009.VDF : 7.11.19.177 2048 Bytes 12/20/2011 00:00:15
VBASE010.VDF : 7.11.19.178 2048 Bytes 12/20/2011 00:00:15
VBASE011.VDF : 7.11.19.179 2048 Bytes 12/20/2011 00:00:15
VBASE012.VDF : 7.11.19.180 2048 Bytes 12/20/2011 00:00:15
VBASE013.VDF : 7.11.19.217 182784 Bytes 12/22/2011 03:14:20
VBASE014.VDF : 7.11.19.255 148480 Bytes 12/24/2011 03:14:07
VBASE015.VDF : 7.11.20.29 164352 Bytes 12/27/2011 21:01:09
VBASE016.VDF : 7.11.20.70 180224 Bytes 12/29/2011 22:15:52
VBASE017.VDF : 7.11.20.102 240640 Bytes 1/2/2012 02:36:38
VBASE018.VDF : 7.11.20.139 164864 Bytes 1/4/2012 02:36:36
VBASE019.VDF : 7.11.20.178 167424 Bytes 1/6/2012 02:36:40
VBASE020.VDF : 7.11.20.207 230400 Bytes 1/10/2012 02:36:43
VBASE021.VDF : 7.11.20.236 150528 Bytes 1/11/2012 02:36:41
VBASE022.VDF : 7.11.21.13 135168 Bytes 1/13/2012 11:21:56
VBASE023.VDF : 7.11.21.40 163840 Bytes 1/16/2012 03:55:58
VBASE024.VDF : 7.11.21.65 1001472 Bytes 1/17/2012 03:55:59
VBASE025.VDF : 7.11.21.98 487424 Bytes 1/19/2012 03:56:22
VBASE026.VDF : 7.11.21.156 1010688 Bytes 1/25/2012 23:52:27
VBASE027.VDF : 7.11.21.176 600576 Bytes 1/26/2012 23:52:26
VBASE028.VDF : 7.11.21.177 2048 Bytes 1/26/2012 23:52:26
VBASE029.VDF : 7.11.21.178 2048 Bytes 1/26/2012 23:52:26
VBASE030.VDF : 7.11.21.179 2048 Bytes 1/26/2012 23:52:26
VBASE031.VDF : 7.11.21.199 142848 Bytes 1/27/2012 16:00:18
Engineversion : 8.2.8.44
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/25/2011 18:22:25
AESCRIPT.DLL : 8.1.4.2 434553 Bytes 1/26/2012 23:52:42
AESCN.DLL : 8.1.8.2 131444 Bytes 1/26/2012 23:52:41
AESBX.DLL : 8.2.4.5 434549 Bytes 12/2/2011 00:30:03
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 22:50:17
AEPACK.DLL : 8.2.16.2 799095 Bytes 1/26/2012 23:52:40
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 12/29/2011 22:16:12
AEHEUR.DLL : 8.1.3.23 4333943 Bytes 1/26/2012 23:52:37
AEHELP.DLL : 8.1.19.0 254327 Bytes 1/21/2012 19:43:50
AEGEN.DLL : 8.1.5.18 409973 Bytes 1/26/2012 23:52:30
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 22:09:17
AECORE.DLL : 8.1.25.3 201079 Bytes 1/26/2012 23:52:28
AEBB.DLL : 8.1.1.0 53618 Bytes 5/14/2010 20:53:30
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 6/30/2011 10:19:36
AVREP.DLL : 10.0.0.10 174120 Bytes 5/17/2011 18:29:19
AVARKT.DLL : 10.0.26.1 255336 Bytes 6/30/2011 10:19:36
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 6/30/2011 10:19:36
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 6/30/2011 10:19:36
RCTEXT.DLL : 10.0.64.0 97640 Bytes 6/30/2011 10:19:36
Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_de37fc49\guard_slideup.avp
Logging.............................: Default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +PFS,
Start of the scan: Sunday, January 29, 2012 18:42
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'AgentSvr.exe' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'AdobeARM.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'AutoPrt.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'OpwareSE4.exe' - '1' Module(s) have been scanned
Scan process 'WkUFind.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Starting the file scan:
Begin scan in 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4IDRZRC7\main[1].htm'
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4IDRZRC7\main[1].htm
[DETECTION] Contains recognition pattern of the HTML/ExpKit.Gen2 HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '4df7a56f.qua'.
End of the scan: Sunday, January 29, 2012 18:42
Used time: 00:00 Minute(s)
The scan has been done completely.
0 Scanned directories
38 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
37 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes
Thank you for the advice. I booted off of OTLPENet CD that I burned on another PC that is not infected,but it takes me right to my windows desktop log in, no Reatogo window. I went into my desktop just to be sure and there is no OTL icon there. What do I do next ?
Edited by rrussell, 02 February 2012 - 08:25 PM.