[Jaymie1989]

Hey,

Thought i would come for a MOT.

Spyware, anti virus and online scaners didnt come up with anything but it just seems a bit weird.

Here is my log

[Jason]

Why haven`t you attached your log to this thread? And why is your HJT log an .xml?

Regards Jason

[evilfantasy]

Toss the beta version of Hijackthis you have and download the new version from the below link.

Let it install to the default location. Then post a new log.

http://www.trendsecure.com/portal/en...HJTInstall.exe

[Daveskater]

I see one or two things in there that could do with fixing, but before doing anything, download the latest version of HJT from the link in the malware removal instructions (v2.0.2 - you are running 2.0.0 beta) and move it to its own folder and rename the executable file, as it says in the instructions.

Post back with a new log after you have done this.

[Jaymie1989]

Here it is

[Daveskater]

You're still running HJT on the desktop with the default name.

Go to C:\Program Files and make a folder called HJT. Move the Hijackthis.exe file to that folder, and rename it to Crusty.exe. Note tat unless you have the file extension set to visible, you will just need to type in Crusty and press enter.

Do this then post another new log.

Sorry for putting you through all this, but it's the best way to get as much out of HJT as you can

[evilfantasy]

Also, since HJT only shows some forms of malware you will need to do a more thorough scan to determine if there are any infections.

Use the Kaspersky Online Scanner.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.


To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please attach the Kaspersky Online Scanner Report in your next post.

[Jaymie1989]

Here is my scan results

Surprised there there is infections.

[Howard]

Go HERE and run Ccleaner as per the instructions in step7.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\windows\ALCMTR.EXE

Reboot your computer.

Download combofix.exe TO Your Desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "I" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Post a fresh HJT log as well as the Combofix log.

Regards Howard

This thread is for the use of Jaymie1989 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Jaymie1989]

C:\WINDOWS\ALCMTR.EXE is for my sound

[tomrca]

info on ALCMTR.EXE

Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers. If you delete this file, then you will not be able to properly update your drivers in the future. It is therefore recommended that you disable the startup instead.

[Jaymie1989]

Ok.

All done here they are

It wont let me upload .txt so here it is

[tomrca]

hjt looks clean to me, but howard "merlin" hopkinson just my find something

[Howard]

Your HJT log is clean.

The ALCMTR.EXE is indeed part of Realtek, but it phones home a lot with info that is not required. Therefore, it is classed as spyware.

Your Combofix log appears to be clean.

Click start/run and type combofix /u into the run box and hit the enter key. This will uninstall Combofix and all it`s folders etc.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Once done, you`re good to go.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Jaymie1989 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Jaymie1989]

Cheers

[Howard]

This thread is now closed.

If you are the original poster and need this thread re-opened please contact a moderator or PM me.

Note: Only the original poster can do this, anyone else will be ignored.

Regards Howard