Deleting the undeletable and more

Quote

Topic: Deleting the undeletable and more
Posted: 27 April 2007 at 6:53am

You're very welcome Smile

buona permanenza in Italia Wink

Ciao

peral00

Newbie

Joined: 23 April 2007
Location: Italy
Online Status: Offline
Posts: 14

Post Options

Quote

Posted: 27 April 2007 at 6:09am

Will do Lucass!

I can't thank you enough for all of the time you've spent on my case and all of the help you've provided.

Grazie di cuore!

Peral00

lucass

Newbie

Joined: 07 December 2006
Location: Italy
Online Status: Offline
Posts: 11

Post Options

Quote

Posted: 27 April 2007 at 5:33am

Hi, the log is clean.
you also need to update the java console,which reduces the risk of exploit.
Go to control panel double-click Add/remove programs and unistall this program jre1.5.0_06

Download latest version from here:
jre-6u1-windows-i586-p.exe
and save to your desktop.
Double-click on jre-6-windows-i586.exe to install the newest version

VERY IMPORTANT
i strongly suggest you to install a free firewall which is a basic tool to block intrusions and attacks to your system.
Zona allarm, kerio, comodo are good free firewalls

Upgrade your operating system(start>windows update)

Update also Internet Explorer to the newest version or use an alternative browser
(firefox, opera etc)

Best Regards

peral00

Newbie

Joined: 23 April 2007
Location: Italy
Online Status: Offline
Posts: 14

Post Options

http://w13.easy-share.com/1034400.html

Quote

Posted: 27 April 2007 at 2:39am

Good morning,

Ahhhh I forgot to mention that I had found and deleted a user profile several days ago. The reason I found it was that when I was looking around RK Unhooker I found the tool Virtual Machine Detector, ran it, and the result was:

"Intel HT processor detected, results can be comprimised"

Don't know if the Total count of tacts =96 actually meant something significant but it prompted me to look at the user profiles and I found the other profile.

Ok, I've deleted the account and run avenger successfully (according to the log). The new Systemscan log (I'm glad you know what you are looking for in all of that) is posted at

I'm off to my real job...

lucass

Newbie

Joined: 07 December 2006
Location: Italy
Online Status: Offline
Posts: 11

Post Options

Quote

Posted: 26 April 2007 at 7:13pm

Click start>run and type control userpasswords2 in the box > Ok
select this account RqAFFFqekRXZBdBv
Click on the delete button
Close the windows

Download Avenger from here:
http://swandog46.geekstogo.com/avenger.zip
Unzip it to your desktop.

Run Avenger
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy and paste the following red text

Files to delete:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UNHFTE.exe

Drivers to unload:
WinDms
UNHFTE

Then click on 'Done'.
Click on the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your pc.

Please post a new Systemscan log

Thanks

Good Night Wink

PS:The RootkitRevealer log is clean

Edited by lucass - 26 April 2007 at 7:17pm

peral00

Newbie

Joined: 23 April 2007
Location: Italy
Online Status: Offline
Posts: 14

Post Options

Quote

Posted: 26 April 2007 at 6:41pm

Ok, I've run HJT, deleted the two entries, shut down, and run the Systemscan - after some difficulty, not sure exactly what the cause was. The file wasn't downloading no matter what I did. I ended up running the linkoptimizer remover again, thinking that there might be some reminance of the rootkit blocking access (I've very reciently become much more paranoid about odd computer behavior). Nothing was found BUT, afterwards I was able to access the file.

The log is posted at http://w13.easy-share.com/1033528.html

FYI my latest RK Revealer log shows some new items that I'm not sure about.

In particular the last four items.

HKU\.DEFAULT\Control Panel\International 4/23/2007 9:52 AM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 4/23/2007 9:52 AM 0 bytes Security mismatch.
HKU\S-1-5-21-1206928866-1551805330-3878935549-1006\Control Panel\International 4/23/2007 9:52 AM 0 bytes Security mismatch.
HKU\S-1-5-21-1206928866-1551805330-3878935549-1006\Control Panel\International\Geo 4/23/2007 9:52 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 4/23/2007 9:52 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 4/23/2007 9:52 AM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 8/11/2004 3:23 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/11/2004 3:23 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\cfexefile\DefaultIcon 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\open 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\open\command 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\runas 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\runas\command 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\DropHandler 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\PifProps 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\ShimLayer Property Page 4/23/2007 9:44 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 8/4/2006 1:48 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 4/26/2007 10:21 AM 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\JT\Local Settings\Temp\jusched.log 4/26/2007 10:27 AM 201 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 4/26/2007 10:17 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\temp\MpCmdRun.log 4/26/2007 10:37 AM 882 bytes Hidden from Windows API.

Cheers

Peral00

Edited by peral00 - 26 April 2007 at 6:42pm

peral00

Newbie

Joined: 23 April 2007
Location: Italy
Online Status: Offline
Posts: 14

Post Options

Quote

Posted: 26 April 2007 at 6:42am

Will do. I haven't made it home yet so I won't get to this until tonight.

Ciao

lucass

Newbie

Joined: 07 December 2006
Location: Italy
Online Status: Offline
Posts: 11

Post Options

Quote

Posted: 26 April 2007 at 6:23am

Your italian is very fine Smile

Please download SystemScan
http://www.suspectfile.com/systemscan/
Run systemscan
Click "scan now"

**Note
This scan will take a while so please be patient.
This tool does not fix anything. it just does a scan and generates a log.
Once done the log should pop up.

C:\suspectfile\report.txt

Upload the report on this site www.easy-share.com , please copy and paste the download link in your reply

Regards Smile

peral00

Newbie

Joined: 23 April 2007
Location: Italy
Online Status: Offline
Posts: 14

Post Options

Quote

Posted: 26 April 2007 at 5:13am

Hi Lucass

I'll run HJT when I get home in an hour or so.

To answer your PS question

Sono Americano. Ho translocato in Italia un anno fa e sto imparando italiano. Capisco abbastanza ma non la parlo molto bene. Per essempio, il tuo post sull'altro sito, capisco il senso generale ma devo guardare il dizionario spesso d'essere securo capisco bene i commenti o le instruzioni.

Grazie ancora per il tuo aiuto. Se continiamo questo discorso sul questo forum preferisco continuare in inglese e cos� altre persone possono imparare da la tua esperienza. Se sarebbe meglio scrivere fuori, va bene.

Ciao!

Edited by peral00 - 26 April 2007 at 5:15am

lucass

Newbie

Joined: 07 December 2006
Location: Italy
Online Status: Offline
Posts: 11

Post Options