TechSpot

Scan log files--Thank you in advance for you time and help

By 326_grn
Jul 24, 2007
  1. **I originally pasted the actual text of the logs into this thread,

    realizing my mistake,

    the log files can be found in my most recent posts at the bottom of the page

    sorry for the mishap**


    my original post:

    Greetings,

    After an installation of nero 7, nero scout, and additional w00arez, symptoms include marketing pop-up chains, pseudo-windows notifications marketing malware removal software, and a significant decrease in availability of system resources,

    Thank you very much in advance for you time and assistance
     
  2. 326_grn

    326_grn TS Rookie Topic Starter

    My apologies for the large blocks of text,
     
  3. 326_grn

    326_grn TS Rookie Topic Starter

    Thanks alot guys, to anyone who may have already begun to sift through it, I'm willing to return a favor for any assistance lent to me,

    The output of the scan completed by the AVG anti-rootkit program was--"There were no installed rootkits found on your computer."

    Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Sorry for the late reply; I've been busy.

    Step 1:

    Run HijackThis and do a system scan. Place a check in the box next to the following entries (if there):

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [http]www.seekerbar.com/ie.aspx?tb_id=50154

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

    O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll (file missing)

    O2 - BHO: (no name) - {157CCC88-44B0-4858-8412-60BB1E8EB121} - C:\WINDOWS\system32\awtqp.dll (file missing)

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)

    O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll (file missing)

    O2 - BHO: - {DA9E35FF-E796-4ABF-A61C-C5F669B9CD3B} - C:\WINDOWS\lbbho.dll (file missing)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - [http]wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - [http]www.sidestep.com/get/k42037/sb02a.cab

    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - [http]yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [http]atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - [http]moviefone.kontiki.com/securedelivery/main/kdx.cab\

    O20 - AppInit_DLLs:

    O20 - Winlogon Notify: khfecay - khfecay.dll (file missing)

    O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)

    Close all open programs except HijackThis. Click the Fix Checked button. Wait for the fixing to complete, which may take awhile, and then close HijackThis.

    Step 2:

    Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

    In Windows Explorer, turn on "show all files and folders, including hidden and system." See how HERE.

    Search your system for the filename alcmtr.exe and delete all instances found.

    Then navigate to and delete the following bold files (if there):

    C:\WINDOWS\system32\UninstallPCTT.exe

    C:\WINDOWS\system32\4472F5F453.sys

    Once that's done, reboot into normal mode and rehide your protected files.

    Step 3:

    Please navigate to www.virustotal.com.

    Click the Choose... button.

    Navigate to the following file:

    C:\WINDOWS\system32\ps.dat

    Click Open. Then click Send File.

    Wait until it's done scanning, then copy and paste the results into a Notepad file and save it to your computer.

    Step 4:

    Rerun HijackThis and ComboFix. Post their logfiles, as well as the VirusTotal log.

    Regards :)

    This thread is for the use of 326_grn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  5. momok

    momok TS Rookie Posts: 2,265

    Hi

    Very Important: Malware infections can possibly lead to identity theft, loss of funds from bank accounts, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.


    Regards,
    Your friendly momok =)

    This thread is for the use of 326_grn only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. 326_grn

    326_grn TS Rookie Topic Starter

    no big deal
    i appreciate any help given
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...