Malwareteks: Forums / Inactive Malware Threads / [INACTIVE] Help with scan logs please

Forums

Malwareteks :: Forums :: Malware Support :: Inactive Malware Threads		<< Previous thread \| Next thread >>
[INACTIVE] Help with scan logs please


Moderators: ShadowPuterDude, Greg, D3m3nt3d, Brandon, Vmarm, peterparker, siljaline, jholland1964, TurcoLoco, Windsor, JeanInMontana, KZ, RatHat, Jason Amison, MrCharlie	This thread is now closed

Author

Post

Vmarm

Sun Aug 06 2006, 07:25PM

Registered Member #7

Joined: Mon May 01 2006, 07:44PM
Location: St Louis, MO
Posts: 9
Thanked 0 times in 0 posts

Take a look and let me know if you see anything suspicious

1154906745_7_FT0_activescan.txt

1154906745_7_FT0_hijackthis.log

[ Edited Mon Mar 19 2007, 11:20AM ]

'You cannot succeed until you have failed'

Vmarm

Sun Aug 06 2006, 07:52PM

Registered Member #7

Joined: Mon May 01 2006, 07:44PM
Location: St Louis, MO
Posts: 9
Thanked 0 times in 0 posts

one more time

1154908355_7_FT315_c.txt

'You cannot succeed until you have failed'

ShadowPuterDude

Sun Aug 06 2006, 09:02PM

...the Shadow knows

Registered Member #1

Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts

Download
- Pocket Killbox

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 7 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Confirm HijackThis default configuartion settings.
1. Run Hijack This
2. Click on the "None of the above, just start the program" button
3. Under "Other stuff", click on the "Config..." button
4. Make sure the following have check marks next to them:

Make backups before fixing
Confirm fixing & ignoring of items (safe mode)
Ignore non-standard but safe domains in IE (e.g. msn.com, microsoft.com)
Indclude list of running processes in logfiles
Show intro frame at startup

5. Click on the "Back" Button

Place a checkmark in the box next to the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
O4 - HKLM\..\Run: [yyultaz] c:\windows\system32\yyultaz.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
c:\windows\system32\yyultaz.exe
c:\windows\system32\unPPC.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Now boot into SAFE MODE

Open navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

c:\windows\system32\yyultaz.exe <<=== Delete the File
c:\windows\system32\unPPC.exe <<=== Delete the File

Now run CCleaner. If you have delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download
- Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

otc

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Post a fresh HijackThis log.

[ Edited Sun Aug 06 2006, 09:07PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218

ShadowPuterDude

Tue Aug 08 2006, 07:23AM

...the Shadow knows

Registered Member #1

Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts

Vmarm\'s logs.

1155036221_1_FT315_hijackthis.log

1155036221_1_FT315_regsearch.txt

ShadowPuterDude

Tue Aug 08 2006, 09:39PM

...the Shadow knows

Registered Member #1

Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts

Your HijackThis log is clean, adn Registry Search didn't show a registry key for OTC found by Panda ActiveScan.

Post your Ewido Anti-Malware log from the pre-cleaning steps.


Jump: Back to top