Thread: Help pls...hiding virus/malware
View Single Post
Old 12-30-2007, 06:01 AM   #2 (permalink)
Angelfire777
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,413
OS: Vista


Re: Help pls...hiding virus/malware
Hi, welcome to TSF!

Quote:
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe I have done all that I know to do which isnt a lot!
That one is legit. It's realted to your video card.

Sounds like something very fishy is going on in your machine..


Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

F2 - REG:system.ini: Shell=d:\windows\explorer.exe
F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

If you or your administrator didn't set these policies, please fix these:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______

Download Deckard's System Scanner to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - main.txt.txt<<this one will be maximized and extra.txt <<this one will be minimized.
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt.txt in your next reply.
6. Please copy and paste the contents of main.txt and extra.txt to your post.
______

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

If you already have "rootchk" please delete that one & grab the above one.
It is updated often.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)
______

On your next reply, please include a
  • Main.txt log w/ extra.txt
  • rootchk log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline