TechSpot

Hacktool Rootkit Nightmare...please Help!

By klauskinky
Jun 22, 2005
Topic Status:
Not open for further replies.
  1. Hi everybody,

    I got infected by hacktool rootkit yesterday, and after spending hours to get to terms with my stupidity and the fact that I fell in the trap like a kid, I am giving up the fight to get rid of the nasty thing via usual means...you guys are my only hope! The problems are all the same: I run Symantec and the only thing that it does is quarantine the msdirectx.sys, that keeps reproducing over and over again...I followed microsoft's instructions, trying the manual delete, but no luck...

    I attach my HJT log...

    Attached Files:

  2. Spike

    Spike TS Rookie Posts: 2,371

    Firstly, I would like to welcome you to techspot :)

    However, it would be greatly appreciated if you would read the stickies at the top of this forum, and then return here and use the 'edit' butoon to ammend your post.
  3. klauskinky

    klauskinky TS Rookie Topic Starter

    Post modified

    Dear Spike,

    Sorry for overseeing that note at first...I have changed my post, and I hope you'll see something in it that might help to get rid of this hacktool burden!

    thanx

    K
  4. Phantasm66

    Phantasm66 TS Rookie Posts: 6,504   +6

  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    msreged32.exe
    WebRebates0.exe
    PowerReg SchedulerV2.exe OR SchedulerV2.exe

    Next, UNinstall (not delete yet) anything to do with:
    C:\Program Files\Web_Rebates\WebRebates0.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\WINDOWS\system32\msreged32.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abbonati.libero.it;www.libero.it;*.libero.;*.;<local>
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe msreged32.exe
    O1 - Hosts: 198.65.164.168 00hq.com
    O1 - Hosts: 198.65.164.168 8ad.com
    O1 - Hosts: 198.65.164.168 008k.com
    O1 - Hosts: 198.65.164.168 www.008k.com
    O2 - BHO: Factiva - {4E7BD74F-2B8D-469E-C0FF-FD61BB96BC7D} - C:\WINDOWS\DOWNLO~1\fcombar.dll
    O3 - Toolbar: Factiva - {4E7BD74F-2B8D-469E-C0FF-FD61BB96BC7D} - C:\WINDOWS\DOWNLO~1\fcombar.dll
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: PCSuiteperPanasonicX701 Detect.lnk = ?
    O4 - Global Startup: PCSuiteperPanasonicX701 TS.lnk = ?
    O4 - Global Startup: PowerPanel.lnk = ?
    O14 - IERESET.INF: START_PAGE_URL=http://www.iol.it
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD61BB96BC7D} (Factiva) - http://global.factiva.com/toolbar/fcombar.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  6. klauskinky

    klauskinky TS Rookie Topic Starter

    Thank you my saviour!

    Here is what I did:

    In Taskmanager/Processes I could NOT find any of the following:
    msreged32.exe
    WebRebates0.exe
    PowerReg SchedulerV2.exe OR SchedulerV2.exe

    There was no web_rebates folder in C:\Program Files, though it did show it in the HJT log...so I couldn't delete it

    but I DID find traces of all webrebates, msreged32 fcombar and schedulerV2 in HJT, which I fix checked and deleted

    I deleted all the content of the temp folder

    I run the HJT again, and the only thing left was a trace of C:\Program Files\Web_Rebates\ which I still couldn't find in the program files folder

    I performed an overall search, and the only trace of webrebates was in the Sybot - Search and destroy folder...there were two zipped files called webrebates, which I removed...

    I performed another HJT, which I attach, where no trace of webrebates can be found...

    DOES THIS MEAN I AM FINALLY CLEAN???

    I owe you big time!

    Klaus
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Your are not clean by any means! You either did not follow my instructions, or only a few, or your infection causes an UNDO of whatever you DO.

    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Then repeat my previous instructions. Look for the mentioned files and/or directories again and delete if found.
    Then post another log.
  8. klauskinky

    klauskinky TS Rookie Topic Starter

    Dear Realblackstuff,

    I have followed again your instructions accurately:

    1) Boot in Safe Mode - DONE

    2) Switch System restore OFF - DONE

    3) Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
    msreged32.exe
    WebRebates0.exe
    PowerReg SchedulerV2.exe OR SchedulerV2.exe
    DONE (NONE OF THE ABOVE FOUND)

    4) Next, UNinstall (not delete yet) anything to do with:
    C:\Program Files\Web_Rebates\WebRebates0.exe
    DONE (UNISTALLED BY USING ADD/REMOVE PROGRAMS)

    5) Next, run a HJT scan and place a tick-mark in the little square before (if still there) - DONE (I FIXED AND DELETED 7 ITEMS)


    6) Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp - DONE

    7) I have turned on "show all files and folders, including hidden and system", but still no sign of Webrebates in Program Files...


    After I have done all the above, Symantec stopped popping out the note saying it found and put in quarantine Hacktool Rootkit, which is why I thought I was finally clean. Moreover, I did go through HJT and couldn-t find any more traces of the nasty items you mentioned...is there something still there that I can't see?

    Also, I have performed a wide search for either webrebates, schedulerv2 or msregedit and I found:

    POWERREG SCHEDULERV2.exe in C:\WINDOWS\Prefetch

    MSREGED32.exe-1B3D9F38.Pf in C:\WINDOWS\Prefetch

    msreged32.exe in C:\WINDOWS\system32 (dated 2002)

    Should I delete all of the above? And what else do you think I should do?

    I enclose the latest HJT log and startup log....

    Thx again,

    KK
  9. IronDuke

    IronDuke TS Rookie Posts: 1,267

  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    KlausKinky
    Yes, delete everything from the prefetch-area.
    And your latest HJT log looks remarkably like the first one, with still nearly all the baddies in there. Webrebates was the least of your worries.

    Follow IronDuke's advise and run that program.

    Try this as well (make sure you can still see all files, system and hidden):
    Check for C:\WINDOWS\SYSTEM32\setup32.exe.
    Check in Task Manager for the file, end the process, then delete it manually from the SYSTEM32 folder. Empty your recycle bin.
    Reboot in safe mode and run another HJT as described in my first procedure. Look if the HJT log looks different.

    Also have your PC scanned online by TrendMicro:
    http://be.trendmicro-europe.com/consumer/housecall/housecall_launch.php

    Best of luck.
  11. klauskinky

    klauskinky TS Rookie Topic Starter

    Trying hard...

    Dear RealBlackstuff...

    I have downloaded the two programs and will give you an output asap...in the meantime, how safe is it to do internet banking or sensitive stuff like that when infected with this baddies?

    Thanx again,

    KK
     
  12. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Not sure how safe you are unless the "baddies" you have are data-miners. But I would avoid that stuff for now.

    If you are on XP, be sure to run in Safe Mode with Networking. Anytime you go back into Normal mode and open a web browser, you could potentially be infecting yourself again!

    Follow all RBS's instruction from Safe Mode and don't go back to normal mode until ALL the scans turn up clean!
    Run, and update, your ad-aware, spybot search and destroy, hijackthis, and antivirus. You might also look for a program called "BHOCaptor" and run that. You can get all this stuff online AND in Safe Mode if you started Safe Mode with Networking.

    Once you run all those scans, and still in Safe Mode, try going to "housecall.trendmicro.com" and do a virus scan from their site, delete whatever it finds.
    You may also have bad startups that HJT isn't finding, download "autoruns" from www.sysinternals.com and look through ALL the tabs for suspicious entries.

    Lastly, if this infection still remains, even in Safe Mode, it could very well be a service. Pay special attention in autoruns to the services and explorer tabs.

    good luck
  13. klauskinky

    klauskinky TS Rookie Topic Starter

    Dear Vigilante,

    Thank you for the tips...just one question: how do I understand when a scan is clean, and how do I recognize the baddies in the log??
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    We'll do that for you, as far as possible.
    A HJT-log is a pretty good indication (though not infallible).
  15. klauskinky

    klauskinky TS Rookie Topic Starter

    New status...

    So here is the latest of the klauskinky saga!

    1) Spybot found and deleted:

    - DSO Exploit
    - BPS spyware remover (which I believe was my other adaware program...nevermind)

    2) Norton Antivirus found nothing

    3) Trend Micro Housecall found:

    VIRUS:

    - C:\program files\kazaa\perfectNavUninstaller.exe TROJ KEENVALE
    - C:\mibmarccolvn.exe TROJ FEMAD.D
    - C:\Q230903.exe TROJ WINSHOW.A
    (all deleted)

    SPYWARE:

    - ADW BADBITOR.A
    - ADW PWRSEARCH.A
    (all deleted)

    4 VULNERALITIES WERE ALSO FOUND, and they require MS patches

    BHO CAPTOR found:

    AcroIEHelpObj Class C:\program files\adobe\acrobat6\acrobat\activex\AcrolEHelper.dll

    C:\Program Files\Spybot-Search & Destroy\SDHlper.dll

    Google toolbar c:\Program Files\googletoolbar1.dll

    AcroIEtoolbarhelper.class C:\Program Files\Acrobat\Acrobat6\Acrobat6\Acrobat\AcrobIEFavClient.dll

    Also, I attach my latest HJT log and the autoruns log...

    Thanx to both of you...here is some material to work on!! :)

    KK
  16. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    From Autoruns, I don't recognize this one:

    c:\program files\biblioteca microsoft\diziorom\qs96i.exe

    Is that some sort of bookshelf or library app? Can't find any info on it.

    Sorry, the autoruns logfile is just to dang hard to read. Did you set the option to "hide signed microsoft entries"?

    Just follow a few rules here:
    Look for any entries that have wacky names. Pay special attention to files in the system and system32 folders. Delete ANY entries that are in a temp folder.
    If an item is suspicious to you, just type it into Google and search, you'll quickly find out.
    Cause the log is so hard to read, if you're industrious enough, post all the file names :)

    As for HJT, remove:
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iol.it
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = abbonati.libero.it;www.libero.it;*.libero.;*.;<local>
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 198.65.164.168 00hq.com
    O1 - Hosts: 198.65.164.168 8ad.com
    O1 - Hosts: 198.65.164.168 008k.com
    O1 - Hosts: 198.65.164.168 www.008k.com
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - Global Startup: PCSuiteperPanasonicX701 Detect.lnk = ?
    O4 - Global Startup: PCSuiteperPanasonicX701 TS.lnk = ?
    O4 - Global Startup: PGPtray.lnk = ?
    O4 - Global Startup: PowerPanel.lnk = ?

    This one is a tuff one, if you remove it, it could "break" your network and you won't be able to go online, however, if you are having Internet issues, this could be the problem:
    O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
    I would suggest NOT deleting it until you download an LSP repair program such as "WinSockXPFix.exe" which you can download from the link on http://www.iup.edu/house/resnet/winfix.shtm
    Once you have this file, then fix this LSP entry. Just in case HJT can't repair the Winsock itself.

    Now keep cleaning:
    O14 - IERESET.INF: START_PAGE_URL=http://www.iol.it
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: CR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Claudio\LOCALS~1\Temp\CR.exe

    Once these are removed, scan again and look through them. Almost everything that is GOOD is pretty easy to tell by the path and file name. You can tell if something belongs to one of your programs etc...

    When you fix the LSP entry, HJT will do a quick restart, scan again as soon as it does. I don't know why there are entries for "sysinternals" with file names in the temp folder. Could be they are going to remove something on startup? But doesn't matter just remove them.
    Then post here again. And post the names from autoruns.
  17. klauskinky

    klauskinky TS Rookie Topic Starter

    Disaster!! Call 911!!

    Dear Vigilantes,

    I have followed your instructions and deleted all the baddies, and downloaded WinSockXPFix.exe before deleting asdns.dll...as you mentioned, the internet stopped working, but instead of fixing anything, winsockxpfix simply says..."Nothing to repair!"...not only the internet doesn't work, but the bottom bar where START and the shortcuts usually are is gone!!! so I need to move around using My Computer...when I turned it back on in normal mode, the following message appeared:"Open SnyUtils.dll error, Pls log on Again"...and there seems to be an error with HKServ.exe too!! basically, I'm stuck!! Is there any solution to this????

    Thx again...
  18. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Certainly, don't panick!

    By the way, I'm guessing you have another PC that you are posting here from? Anyway, maybe that is not the right winsock fixer. Try http://www.softpedia.com/get/System/System-Miscellaneous/LSPFix.shtml
    But look at the warning towards the bottom first about Adaware! (note I never used this one, this is just a quick google for an LSP fix).

    If not, cause the one I use is so hard to find, I'll try to get a link to it. Try this: http://www.zacksdomain.com/Software/Utilities/WinsockXPFix.exe

    With this one you just click "fix" and it will repair and then restart automatically. This one I use mostly, it works.
    ---

    Next be sure to write down any file names and paths from those errors so you can remember them.
    SnyUtils.dll appears to be something with a Sony driver of some kind? Not sure what, maybe a modem or video?
    And HKServ.exe is part of a "special buttons" support thing. I gather by these that you have a Sony Laptop. This process enables some of the fancy functions of the special Sony buttons on the keyboard.

    Because it's hard to tell what those are part of. My first suggestion would be to download the LSP fixer and get your Internet up first (in safe mode with networking). Then visit Sonys web site and look for new drivers. Particularly for video and keyboard stuff. This should fix the HKServ and SnyUtils errors.

    Also, if/when you get Internet back, see if you can do another virus scan from "housecall.trendmicro.com". And see if it's clean.

    If you get into Safe Mode but don't have a Start Bar, try pressing ctrl-alt-del and go into Task Manager. Click File-New Task and run "explorer". See what happens.

    If all else fails and it looks pretty bad, you may have to just re-install Windows, backup your data. Or even attempt a repair install.

    c ya
  19. klauskinky

    klauskinky TS Rookie Topic Starter

    I see the light at the end of the tunnel...

    Dear Vigilantes...

    After an initial sense of defeat (Internet not working, start bar not appearing etc...) I have managed to find a way around it...I have re-instated the start bar by activating all the services from Autoruns, which were all disabled for some reason...so now all the basic functions are finally back. The Internet is back up, luckily, so all I have to do is find out if the bloody intruder is still there!! I have followed your suggestion and have written down all the services I found on Autoruns, which I attach, along with the latest HJT scan...Let's hope I am now as clean as a baby!! (I doubt it, but at this point hope is all I have left!!) :)

    Looking forward to your reply

    KK
  20. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    When are you finally going to remove those O15s? You don't trust ANYbody!

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    GUOERCIH.exe
    QYVGMSA.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    GUOERCIH.exe
    QYVGMSA.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    R3 - Default URLSearchHook is missing
    O4 - Global Startup: PowerPanel.lnk = ?
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O23 - Service: GUOERCIH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Claudio\LOCALS~1\Temp\GUOERCIH.exe
    O23 - Service: QYVGMSA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Claudio\LOCALS~1\Temp\QYVGMSA.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].

    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).

    Boot normal. When all OK, switch System Restore back on.
  21. klauskinky

    klauskinky TS Rookie Topic Starter

    Dear RealBlackStuff (by the way, you make me thirsty every time I look at your pix :) )

    Thank you again, and again, and again, for wasting so much time to fix me up.

    I did all of the above, and when it got to fix the global startup item (O4 - Global Startup: PowerPanel.lnk = ?) a window pop out saying: "Error #52 (Bad file name or number) in SubGetLongPath (?.exe)"

    ...apart from this, it all went pretty smooth. I deleted all the temp files in Local. One details: in Documents and Settings/Claudio/Locals (not temp) I found a file called trav_svc.exe dated 2004, with a nasty looking logo...no idead what that thing is...I left it there for now...

    Also, when I rebooted the system, I noticed that the google toolbar is gone (I have uninstalled now, since it's not there anymore)...

    I have run a new HJT AFTER I rebooted in normal mode and AFTER I turned back on system restore, and it looks pretty ok apart from the following line:

    17 - HKLM\System\CCS\Services\Tcpip\..\{8AB417DC-A60D-446D-9D4C-8783982B614C}: NameServer = 154.32.107.18 154.32.109.18

    which looks pretty nasty to me?!

    Let me know if I need to kill this too...

    Thx,

    KK

    Attached Files:

  22. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    You DO want to get rid of name servers. UNLESS you have/need static IP information set. So get rid of:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB417DC-A60D-446D-9D4C-8783982B614C}: NameServer = 154.32.107.18 154.32.109.18

    Unless you need it.
    A reverse DNS lookup for 154.32.107.18 turned up "res2.dns.uk.psi.net". Doesn't say much. Unless you are "on" psi.net, I would remove this entry.
    ---------

    Also everybody, ROOTKITREVEALER is NOT a bad prog. It is a legitimate program from sysinternals that tries to find virus and spyware behavior in rootkits. Ya, I'm confused too. But basically, in order to NOT be killed by spyware and viruses, the sysinternals tool uses a service and a random filename to avoid being killed. Read about the program at this URL:
    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    And here was my post on the sysinternals forum about these entries:
    http://www.sysinternals.com/Forum/forum_posts.asp?TID=336&PN=1&TPN=1

    cheers
  23. klauskinky

    klauskinky TS Rookie Topic Starter

    Will I ever be clean?

    Dear Vigilante,

    I am not sure I am using that server...I usually connect via a dial-up to something called Fiberlink, a program that connects you wherever you are in the world...but I don't think it has nothing to do with psi...how can I be sure it's something I don't need? I wouldn't want to delete my only chance to connect to the internet...
  24. IronDuke

    IronDuke TS Rookie Posts: 1,267

    Make a note of them. If yuo should need them they can be entered in you connection settings.
  25. klauskinky

    klauskinky TS Rookie Topic Starter

    Mistery solved...

    When I connect to the Internet and run HJT the item is not there anymore...and only comes back as soon as I connect...so I beliebe that is my connection.

    Apart from that...how does my scan look? Can I consider myself clean?

    KK
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.