BraveSentry removed? - problems remain

[jholland1964]

PK, did you do any of the fixes ~TL requested that you do using HJT in safe mode? I still see them all listed in your most recent HJT log.
You do need to follow the recommendations as given, otherwise no fixing will occur.
I note in your Analyzer.txt log numerous listings for files on July 14, 2007 that I am fairly certain are at least part of the cause of your problems. Do you recall any specific email opened, website visited or program downloaded on that date?

[pkraft]

I did do the fixes as TL said.

July 14th is the day this happened. Was reviewing blogging software for a client & went to a site posted as an example on the b2evolution site.

Thank you, pk

[TurcoLoco]

Ok I went through your AnalyzerXP log and attached the revised log to this post.
Take a look at it but I believe Judy already knows and agree on my comments.
She will take it from here but I just wanted to let you know that since there is definitely a rootkit infection present, you will need a good Rootkit remover!

Here are some of the tools that you will need, I am sure Judy will add to the list as well.

~ For RootKit infections:
AVG Rootkit Scanner
RootkitRevealer
RootKit Hook Analyzer


~ For Key-Loggers:
KL-Detector
IHateKeyloggers
SS-Keylogger Clean


Note: For the files I commented on in your log, wait to see what kind of action Judy wants to take. If manually deleting them or using CleanupXP+ is not doing the job, she will recommend alternative tools to use.

[pkraft]

TL - Appreciate your help.

Judy - Was reviewing the instructions so far to make sure I had done what was requested & realized that although I did the fixes as I said, perhaps I was supposed to run hjt again after the fix? If this is the case, I'm sorry I didn't think to do that. I have attached a new scan.

Thank you, pk

[jholland1964]

PK, reviewed your new HJT log, yes, the new scan did need to be run and log saved so we can see what, if anything, was missed.

I note three entries still showing on the new log;
The O8 entry below...did you try to fix that one or did you just miss it?
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm

This one below is Trojan-Proxy:W32/Xorpix.AR
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll

This one "could be" Graphisoft R&D. Do you use this program? Or have you used this program? It could also be a questionable entry.
O21 - SSODL: SxQHpRUcMid - {2C4A6A44-86E0-C0EE-91B7-B3C85FBB37F4} - C:\WINDOWS\system32\ud.dll

I also am quite suspicious of this entry that ~TL questioned you about earlier and you had no idea about it either;
O17 - HKLM\System\CCS\Services\Tcpip\..\{26FB5087-36E1-4C61-8781-35A69C01309A}: NameServer = 192.168.1.254

~TL and I have conferred and concur on all of the entries noted in his attached Revised Analyzer log.
We are at somewhat of a disadvantage here because of the inability of the computer to go online or evidently work in normal mode so some of these fixes may have to eventually be completed manually. The LSPFix I believe should wait because, as ~TL has noted, it probably would be broken again due to the nasty items on the machine.

To begin I am going to recommend that you try the AVG Anti-Rootkit program. Of course you will have to download it to the other computer and bring it to the infected one to install and use.
Then also choose and run any of the Keylogger programs suggested by ~TL. Just be sure to read and follow all the instructions. If you would feel more secure printing out the instructions for the Anti-Rootkit program and Keylogger programs then by all means do so.
If given the option then allow both programs to fix what is found.
Post any logs generated by these programs

[jholland1964]

PK, had to sign off quickly last night as we had some major storms going on so I didn't get to finish.
Do you use ACT Management Software?

If it is possible for you I would also like to see a list of programs which automatically start on your computer.

HijackThis has a built in tool that will allow generate a listing of all the programs that automatically start on your computer.

In order to do this go into the Config option when you start HijackThis, then click on the Misc Tools button at the top.
You will then click on the button labeled "Generate StartupList Log". Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it here also.

[pkraft]

Judy - No, I don't use ACT. I'm in the process of running AVG Anti Rootkit. I'm in normal startup mode - it's been running for better than 3 hours but I'm at 95%.

Just seems like there's tons of stuff running or trying to run that slows things down to a crawl.

I'll send the list of programs that auto start as soon as this one's done & before I begin the others. Should I try running HJT in normal or safe mode startup for this?

pk

[jholland1964]

If you can get that Start Up list from HJT in normal mode then by all means do so.
Also, do you use Graphisoft R & D program?

[pkraft]

No, I don't use Graphisoft R & D either.

I'm still at 95% - been sitting there for over an hour....I'll keep at it.

[jholland1964]

I know this is a dumb question to ask at this stage of the game...you DO have the internet cable removed from the infected computer right? If not you should do that now and keep it that way until we can be certain these trojan dialers, etc., are removed.