2 replies to this topic

[psycherelics]

I was referred to this forum by a post in the Symantec Forum and I was told it is possible I am infected with something so new it is not yet detected by typical antiMalware dection routines.

I run:
Windows 7 Home Premium
Version 6.1 (Build 7601:Service Pack 1)
Manufacturer: Gateway
Model SX2851
Processor Intel ® Pentium ® CPU G6951@2.86
64-bit operating system

My logs are as follows:


1st log
Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org
Database version: v2012.04.01.03
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 psycherelics :: PSYCHERELICS-PC [administrator]
4/1/2012 11:15:25 AM mbam-log-2012-04-01 (11-15-25).txt
Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 354603 Time elapsed: 2 hour(s), 24 minute(s), 1 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run​|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Users\psycherelics\AppData\Roaming\BitTorrent\​BitTorrent\vmvsz.dll",DllRegisterServer -> Quarantined and deleted successfully.
Registry Data Items Detected: 0 (No malicious items detected)
Folders Detected: 0 (No malicious items detected)
Files Detected: 2 C:\Users\psycherelics\AppData\Local\Temp\ntnms.dll (Trojan.Hiloti) -> Delete on reboot. C:\Users\psycherelics\AppData\Local\Temp\arg198138​.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
(end)

2nd log
Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org
Database version: v2012.04.01.03
Windows 7 Service Pack 1 x64 NTFS (Safe Mode) Internet Explorer 9.0.8112.16421 psycherelics :: PSYCHERELICS-PC [administrator]
4/1/2012 5:05:28 PM mbam-log-2012-04-01 (17-05-28).txt
Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 352830 Time elapsed: 1 hour(s), 13 minute(s), 19 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 0 (No malicious items detected)
Folders Detected: 0 (No malicious items detected)
Files Detected: 0 (No malicious items detected)
(end)

3rd log
Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org
Database version: v2012.04.03.03
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 psycherelics :: PSYCHERELICS-PC [administrator]
4/2/2012 6:34:54 PM mbam-log-2012-04-02 (18-34-54).txt
Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 356261 Time elapsed: 2 hour(s), 27 minute(s), 22 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 0 (No malicious items detected)
Folders Detected: 0 (No malicious items detected)
Files Detected: 0 (No malicious items detected)
(end)


I was seeing messages like the following when I start up:
C:\\Users|PSYCHE~1\AppData\Local\Temp\prdrov.dll
The specified module could not be found.

The ohther message was:
C:\\Users|PSYCHE~1\AppData\Local\Temp\ntnms.dll

I was worried though that there was a new user in my fillin form that showed up for my work email that doesn't show up in my contact card in the security password locker.

I ran Malware, SuperAntiVirus, Norton. It came up with either nothing or tracking cookies.

I followed an old article about the Backdoor.Fuwudoor.
1. I disabled system restore.
2. Updated the virus definitions.
3. Restarted the computer in Safe mode.
4. Then, I ran a full system scan.
5. It came up with SysVer or something like that and Norton fixed it.
6. Then, I went to fix the registry as per the article and couldn't find the registry keys listed in the article.

When I restarted the computer, I was still getting these messages.
So, I ran the Super Eraser and nothing came up.
I was still getting these messages.

Then I downloaded the boot-able recovery tool and had my computer boot up with the tool.
It came up with nothing.

I am still getting these messages when I restart my computer.
I am not sure whether the virus is still there or not. The messages get me worried.

I ran NPE.exe and msert.exe
I unchecked all the cannot find *dll entries for things that are start up.
Than I got rid of all the asktoolbar items following the instructions in
http://forums.anandtech.com/archive/index.php/t-20​68161.html

Now I don't get messages, but I don't know if the virus still exists.

I appreciate your help!

Attached Files

•  DDS.txt   25.69K   10 downloads
•  Attach.txt   14.24K   19 downloads

[screen317]

Hi and welcome to Malwarebytes.


In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!