Logs attatched please help me!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Lauradorable24, Aug 22, 2006.

  1. Lauradorable24

    Lauradorable24 Private E-2

    Hi,
    I followed all of the steps on the posting "Read & run me first". Attatched are my logs, it seems that I have a lot of infected files and spyware. I originally went through these steps because Symantec notified me that I have a Downloader virus. After following all of the steps and procedures, I think that there's a lot more problems under the surface....I'll let you guys be the judge, thanks for your help! The 2 other logs will be posted in the next log since I can't upload more than 3 at a time:)

    Lauren
     

    Attached Files:

  2. Lauradorable24

    Lauradorable24 Private E-2

    Here's the other logs, I seem to be having trouble with the runkeys.txt, when I open the log that was saved on the C drive it's blank. I don't know how that happened. I'm attaching what I have for runkeys.txt, but I think it's blank, what should I do?

    Lauren
     

    Attached Files:

  3. Lauradorable24

    Lauradorable24 Private E-2

    Here's CounterSpy, I forgot to attatch it :)
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Next time please allow GetRunKey to complete and attach the correct log which is named runkeys.txt. You should not be manipulating/editing the files yourself.

    Now you need to extract ALL the files from ShowNew.zip as instructed in the download link and run it again and attach a correct log. Perhaps this is the same problem you were having with GetRunKey. You must follow directions. The programs must be extracted from the ZIP files into a folder as instructed. If you don't do this, they will not work properly.

    I need this log before I can continue.
     
  5. Lauradorable24

    Lauradorable24 Private E-2

    I'm sorry but I do not understand the directions. I thought that I was doing it right but I keep getting the blank notepad page. I downloaded GetRunKey.Zip and ShowNew.Zip, they both open with WinZip. Then I clicked on extract and I chose the location C:Spyware Tools. Next, I clicked on GetRunKey.bat and ShowNew.bat, it asked if I want to run it, I click yes, and then a black screen comes up "C:WINDOWS\system32\cmd.exe", with a whole bunch of writing: "C:\xrkey10.txt 'grep' is not recognized as an internal or external command, operable program or batch file". A blank notpad log also pops up. I'm so confused that I don't know where I'm going wrong. Could you please point me in the right direction, I don't know what I'm doing that keeps messing me up.

    Thanks
    Lauren
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to run GetRunKey.bat and ShowNew.bat from the C:\Spyware Tools folder you created. That means after you extract them, close WinZip, then use Windows Explorer to navigate to the C:\Spyware Tools folder. Locate the two .bat files you just extract and run them one at a time. They will both create logs that popup at the end of execution. You can just close those notepad windows. The two logs are already save as c:\runkeys.txt and c:\newfiles.txt.
     
  7. Lauradorable24

    Lauradorable24 Private E-2

    I followed your steps again and found the 2 .bat file logs in the C drive. I opened them and they looked similar to what I already sent, but these are the only .bat file logs in the C drive. I hope they are the right ones.

    Lauren
     

    Attached Files:

  8. Lauradorable24

    Lauradorable24 Private E-2

    the newfiles.txt won't attach because I already attached it before. It's the only one that I have on the C drive, named newfiles.txt. I followed the steps again and I still only have that one log on the C drive for newfiles.
    Lauren
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are still not doing this correctly! Tell me the exact location that you have the ShowNew.bat file at. Also tell me what other files are in the same folder.

    Also if do the same for GetRunKey.bat (unless you have it in the same folder as ShowNew.bat).
     
  10. Lauradorable24

    Lauradorable24 Private E-2

    ShowNew.bat is located in C:\Spyware Tools. The other files in that folder are: AUTOEXE.NT, command.com, CONFIG.NT, GetRunKey.bat, ShowNew.bat, Windows-KB890830-V1.19.exe.
    Those 6 things are the only files in that folder. As you can see, GetRunKey.bat is also in that folder. If I right-click on either file, there's no option to extract, but there's 6 win-zip options. When I run double-click on either file, I get the log that I sent you, and a black screen that says C:\xrkey10.txt 'grep' is not recognized as an internal or external command, operable program or batch file


    Lauren
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And this means exactly what I have been saying all along is still true. You are not following the directions given. There are other files in the GetRunKey.zip and ShowNew.zip files that must be extracted. The directions said to extract all the files. You did not do that. You must also extract, into the same folder, the grep.exe and locate.com file from ShowNew.zip. Then the grep.exe that is included within GetRunKey.zip becomes unnecessary since you already have the one from ShowNew.zip.
     
  12. Lauradorable24

    Lauradorable24 Private E-2

    Here's my newfiles.txt, did I do this right?

    Lauren
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now you got it! ;)


    Goto Add/Remove programs and uninstall the below (only uninstall this one)
    J2SE Runtime Environment 5.0 Update 3

    Note: You have LimeWire 4.9.30 installed. Many versions of malware come bundled with malware.
    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [prutnct] C:\WINDOWS\system32\prutnct.exe
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/hitth...ave/wtinst.cab

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINDOWS\SYSTEM32\TargetSoftSetup.exe
    C:\WINDOWS\system32\prutnct.exe
    c:\windows\system32\data.~
    c:\windows\system32\INNERADINSTALL.LOG
    c:\windows\system32\K404SearchSetup_MS22.exe
    c:\temp\salmau.dat


    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.
    After reboot locate the below folders and delete if found:
    c:\windows\system32\vmss
    c:\windows\system32\wsxsvc
    c:\program files\SearchRelevant
    c:\program files\Windows AdStatus
    C:\Program Files\SearchRelevant

    Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Documents and Settings\Kierstin358\Local Settings\Temp\

    Now attach a new HJT log and tell me how the steps went.
    Also attach a new log from ShowNew and a new log from GetRunKey.
    Make sure you tell me how things are working now!
     
    Last edited: Aug 26, 2006
  14. Lauradorable24

    Lauradorable24 Private E-2

    Everything went well. I didn't have any problems. When I was all finished with everything I ran a symantec scan and it showed no viruses anymore. Here's my new logs. I hope I am posting the correct logs this time. My computer seems to be working fine, but I'll let you be the judge. Thanks for the incredible tech support!


    Thanks:)
    Lauren
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you forget to fix the below?
    O4 - HKCU\..\Run: [prutnct] C:\WINDOWS\system32\prutnct.exe

    It is still in your HJT log. Does the file still exist?

    Have HJT fix that O4 line and delete the file if it exists.
     
  16. Lauradorable24

    Lauradorable24 Private E-2

    Hi,
    I ran Hijack this again, and I didn't see that
    O4 - HKCU\..\Run: [prutnct] C:\WINDOWS\system32\prutnct.exe. I'm sending my log again, tell me if I'm wrong, but it's not on there. Maybe I sent an old log? Anyways, I'm attaching it again. I also looked in the Windows/system32 folder and there wasn't anything called prutnct.


    Lauren
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must not use this copy of HIjackThis:

    C:\Documents and Settings\Kierstin358\Local Settings\Temp\wz184\HijackThis.exe

    Delete this file and in the future only use the one like you did in your very first message.


    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds