Brand New and having problems - help.

[johnnymack]

To whoever is out there, I am new to this site and have been suffering with some form of trojan virus or whatever the horrible little things are. Think they called it PSYME or something similar.

I am posting this to see what to do next.

I have carried out step by step (rigidly to the letter) the 15 steps advised by yourselves prior to this post and please find attachments as requested.

My comp. already seems a lot faster and seems to be working much much better.

Prior to the 15 steps symptoms were -
1) Open programme Icons along the foot of the screen would be listed by 1 letter only?
2) No programmes would be open and sounds music etc would start playing for no reason from speakers (weird)?
3) Comp. running major slowly.



What do I do next or is that me clean again ??

Thanks so much for your help, a wonderful site that I will be making a donation towards.

Johnnymack.

 

[Daveskater]

Hello, johnnymack, and welcome to Techspot :wave:

Please take a moment to read the following threads to make your experience here as enjoyable as possible

Message for all newcomers

SNGX1275's Guide to making a good post/thread

The Techspot FAQ

If you could take a minute to fill in some of your profile information that would be helpful to all members of the forum
Knowing someone's location in the world can be extremely helpful, even if you just put a country.

Also remember to post any problems or questions that you have in the appropriate forums

With regards to your logs, you can have HJT fix these entries because they have been deactivated:

O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - C:\PROGRA~1\CALORI~1.COM\tbu03162\toolbar.dll (file missing)

O9 - Extra button: (no name) - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - (no file)

O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)

O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)

These entries find nothing in Google and I don't recognize them so I would recommend fixing them. If it turns out that they're legitimate, they can be brought back from HJT's backup.

O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

Those 4 entries look similar but are all different. Fix all of them.

After fixing these entries, follow the instructions here on renaming the Hijack This executable and attach a fresh log to a new reply in this thread.

Your AVG AS log is fine because it cleaned all the infections.


This thread is for the use of johnnymack only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[johnnymack]

Thanks Dave

Think I have done what you asked, here is the new HJT log.

Whats next or am I clean - lol

John

 

[Daveskater]

These entries have some back again:

O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgmtp.exe

Try doing this:
Fix the entries, then run another scan and see if they're there
If they're not there, restart your pc and do another scan.
If they're there, boot into safe mode and run an HJT scan and fix those entries.
Restart into normal mode, run yes, you guessed it, another HJT scan and see if those entries are there.

If they come back after all that, I have some more tricks up my sleeve


This thread is for the use of johnnymack only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

C:\WINDOWS\system32\appmgmtp.exe definitely belongs to some malware masquerading as a system process.

I would suggest a thorough check on ComboFix logs too before providing the cleaning solution. The system should ideally be cleaned in safe mode, and all related files and registry entries deleted.

These entries in ComboFix need fixing too, relevant programs uninstalled, and related registry keys removed.

C:\WINDOWS\system32\486276407.dat
C:\Program Files\AskSBar
C:\Program Files\OneStepSearch
C:\WINDOWS\system32\uttss.bak2


Regards,
momok