Registry help

[msu715]

Where do I download HijackThis?

[evilfantasy]

Go to C:\Program Files\trend micro

There should be a file there named Hijackthis.exe or maybe Bob.exe. That is HijackThis.

If not then download it here http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

[msu715]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\SET7F.tmp" deleted successfully.
File "C:\WINDOWS\SET6F.tmp" deleted successfully.
File "C:\WINDOWS\SET5D.tmp" deleted successfully.
File "C:\WINDOWS\SET51.tmp" deleted successfully.
File "C:\WINDOWS\SET80.tmp" deleted successfully.
File "C:\WINDOWS\SET70.tmp" deleted successfully.
File "C:\WINDOWS\SET5E.tmp" deleted successfully.
File "C:\WINDOWS\SET52.tmp" deleted successfully.
File "C:\WINDOWS\System32\CF4083.exe" deleted successfully.
File "C:\WINDOWS\zip.exe" deleted successfully.
File "C:\WINDOWS\VFIND.exe" deleted successfully.
File "C:\WINDOWS\SWXCACLS.exe" deleted successfully.
File "C:\WINDOWS\SWSC.exe" deleted successfully.
File "C:\WINDOWS\SWREG.exe" deleted successfully.
File "C:\WINDOWS\sed.exe" deleted successfully.
File "C:\WINDOWS\NIRCMD.exe" deleted successfully.
File "C:\WINDOWS\grep.exe" deleted successfully.
File "C:\WINDOWS\fdsv.exe" deleted successfully.
Folder "C:\ComboFix" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

[evilfantasy]

Did you get MalwareBytes to run?

[msu715]

I installed it and ran it and it found 2 errors which were then cleaned up.

[evilfantasy]

Can you post the log please so I know what we are dealing with.

It can be found under the logs tab in MalwareBytes.

[msu715]

Malwarebytes' Anti-Malware 1.33
Database version: 1725
Windows 5.1.2600

2009-02-03 13:42:31
mbam-log-2009-02-03 (13-42-31).txt

Scan type: Quick Scan
Objects scanned: 53024
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\RegSweep (Rogue.RegSweep) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Explorer1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[evilfantasy]

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

[msu715]

Sorry aobut the delay, here's the log:

data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4\A0002379.exe\data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4\A0002379.exe;Archive contains infected objects;;
A0002379.exe;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4;Archive contains infected objects;Moved.;
A0002381.exe;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4;Tool.Prockill;Incurable.Deleted.;

[evilfantasy]

Nothing new was found. How is the computer running now?

[msu715]

Pretty good, the only problem is IE shuts down every once in a while, I tried to install the newest version and also Firefox, but it says my service pack doesn't support the installation or something. Other than that the computer is running fine.

[evilfantasy]

Go to Microsoft Windows Update and get all critical updates.

How is it now?

[msu715]

When I try to update, it says I don't have all the files needed or something...my IE has been getting worse too and I have no clue why.