Solved: HJT-log - possible Trojan.Bat.Regger.b

Hi,

I got some malware on my computer. I'm not even sure how I noticed it, but I'm certain.

It's possible that I have been infected though firefox. It's most likely firefox or ie.

The computer has rebooted, so it's in the system.

Regards,
Johan Forngren

P.S. Apologies for my bad English. I can read English fluently and understand advanced instructions.

 

Welcome to TSG

Please give me a minute to create a fix for you. Thanks

 

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O4 - HKLM\..\Run: [RPC Drivers] C:\WINDOWS\system32\inetsrv\rpcall.exe
O4 - HKLM\..\Run: [Microsoft Automatic Updates] AutomaticUpdates.exe
O4 - HKLM\..\RunServices: [RPC Drivers] C:\WINDOWS\system32\inetsrv\rpcall.exe
O4 - HKLM\..\RunServices: [Microsoft Automatic Updates] AutomaticUpdates.exe
O4 - HKCU\..\Run: [RPC Drivers] C:\WINDOWS\system32\inetsrv\rpcall.exe

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...



=====================================

Download OTMoveIt by OldTimer and save to your Desktop.

• Double-click on OTMoveIt.exe to launch the program.
• Please copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.
  • 
    C:\WINDOWS\system32\inetsrv\rpcall.exe
    C:\WINDOWS\system32\AutomaticUpdates.exe
• Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results for each line will be displayed in the right-hand pane.
• Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
• Close the program when done.
• Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

=======================================

Please perform a scan with Panda ActiveScan - ActiveScan does not remove adware/spyware but will autoclean for viruses & worms.

1. Click "Scan Your PC".
2. A new window will open. Click "Check Now!".
3. Fill in your registration and click "Scan Now!".
4. You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.
5. A new window will appear asking "Do you want to install this software?"" Name: asinst.cab.
6. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
7. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow".
8. Select a device to scan: Click on "Local Disks" [allow it to Auto Clean].
9. When the scan completes, if anything malicious is detected, click the "See Report button", then "Save Report" to your desktop. 10. Post back the results of your scan and any infected files that are found but not deleted.

===========================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

In your next reply, please include a fresh Hijackthis log, Panda Activescan log and DSS logs. Thanks

 

Thank you sir!

Here are the requested logs.

 

Good Job so far, we need to do some clean from the worm.

First, lets backup windows registry.


The next step involves making changes in the registry. CAUTION: Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable. ERUNT is an excellent FREE tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

• After download, double-click on erunt.exe and install by following the prompts.
  (use the default install settings but say no when asked if you want add ERUNT to the start-up folder. You can enable this option later).
• Start ERUNT by either double clicking on the desktop icon or choosing to start it at the end of the setup.
• Choose a location for the backup. (the default location is C:\WINDOWS\ERDNT).
• Make sure that at least the first two check boxes are checked.
• Press "OK"
• Press "YES" to create the folder.

If you are still unsure how to do this or have any questions please ask before proceeding.


=============================================================


Please download regfix.zip, Extract regfix.reg to your Desktop. Double-click on regfix.reg and allow it to be merged into windows Registry. Please reboot your computer



============================================================


How is everything running? Are you able to see the Run Command??



Also, i recommend you installing a software firewall. Here is a good free one. Its a trial version of 30 days, then it goes to the free version.
Kerio Personal Firewall

 

Thanks again!

Everything seems to be running smothly and Panda active shows thumbs up.

Again, YOU ROCK!

 

Good, Please run DSS again the post the two logs. thanks.

 

I didn't get an extra.txt, but here's my main.txt.

 

Your log is clean!!!!


Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:

1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
2. If you don't have a Firewall installed, please choose from the following:
   • ZoneAlarm Free
   • Kerio Personal Firewall
3. If you don't have a Anti-Virus installed, please download the following free program:
   • AntiVir Personal Edition
4. Here are two great Preventive programs:
   • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
   • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
5. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
   • Red for Warning
   • Yellow for Use Caution
   • Green for Safe
   • Grey for Unknown
   
   Here are the link to install SiteAdisor in Internet Explorer and Firefox
6. Anti-Spyware Programs I Recommend:
   • Lavasoft's Ad-Aware SE Personal
   • SuperAnti-Spyware
7. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]

 

Thanks a lot sir!

I'm an open source-guy myself, and yet I'm amazed by your support.

 

Your Welcome!!!