somethings infected

Yes, it looks like there's a new infection in your latest log.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum in your next reply.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries (where still present):
  • O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
  • O21 - SSODL: KernelCD - {dee6851b-a492-48ec-881f-1bbe9aea5f43} - C:\WINDOWS\Installer\{dee6851b-a492-48ec-881f-1bbe9aea5f43}\KernelCD.dll
  • O21 - SSODL: zip - {41c95821-d9f1-49cf-914d-301550ad3e0f} - C:\WINDOWS\Installer\{41c95821-d9f1-49cf-914d-301550ad3e0f}\zip.dll
  • O23 - Service: IDSignet Registration Service (IDRegSvr) - Unknown owner - C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe (file missing)
Please close all open windows except for HijackThis and choose Fix checked

Please run OTMoveIt2 again.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    C:\WINDOWS\Installer\{dee6851b-a492-48ec-881f-1bbe9aea5f43}
C:\WINDOWS\Installer\{41c95821-d9f1-49cf-914d-301550ad3e0f}
  • Return to OTMoveIt2, right click in the Paste Standard List of Files/Folders to be Moved window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. These results are also located at C:\_OTMoveIt\MovedFiles\Date_Time.log, where Date_Time is the date and time you ran OTMoveIt.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please reboot and post
  • The SDFix report
  • The OTMoveIt2 report
  • A new HijackThis log
 
Last edited:
I try to go to safemode, but it loads up (after i click enter on safe mode), and it just stays at the final load, and i waited for 10 minutes and it still didn't load. Any ideas why?
 
Could be an issue with the SafeBoot key, try this:

Download & run SafeBootKeyRepair
A log should be produced at C:\SafeBoot_Repair.txt. Please post this log and try rebooting into Safe Mode again.
 
SDFix: Version 1.157

Run by Owner on 03/15/2008 Sat at 09:51 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{dee6851b-a492-48ec-881f-1bbe9aea5f43}\KernelCD.dll - Deleted
C:\WINDOWS\Installer\{41c95821-d9f1-49cf-914d-301550ad3e0f}\zip.dll - Deleted
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url - Deleted
C:\Program Files\antiviirus.exe - Deleted
C:\WINDOWS\bokpkov.dll - Deleted
C:\WINDOWS\fmsxwqs.exe - Deleted



Folder C:\WINDOWS\Installer\{dee6851b-a492-48ec-881f-1bbe9aea5f43} - Removed
Folder C:\WINDOWS\Installer\{41c95821-d9f1-49cf-914d-301550ad3e0f} - Removed


Removing Temp Files

ADS Check :



Final Check :


catchme 0.3.1061 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net


Usage: catchme.exe [options]

-p processes scan
-s servicess scan
-r autostart entries scan
-f [folder] files scan
-c source destination copy file
-k filename kill file
-K filename kill file without making a copy
-o filename dummy overwrite/replace file with dummy
-O filename dummy overwrite/replace file with dummy without making a copy

-u do not display GUI
-a display all information
-t show all Alternate Data Streams
-g grab hidden files to %DESKTOP%\catchme.zip
-n use NTAPI
-d scan subfolders ( use with options -f and -a )
-l log file name
-h display this help

samples of usage:

catchme.exe -a -p
catchme.exe -a -s
catchme.exe -a -f C:\WINDOWS
catchme.exe -a -d -f C:\WINDOWS
catchme.exe -k C:\WINDOWS\system32:pe386.sys
catchme.exe -c C:\WINDOWS\system32:pe386.sys C:\pe386.sys

please note that you need administrator rights to perform deep scan


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 15 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp112812.exe"
Sat 15 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp118560.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp120988692.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp120994581.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp164200157.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp49280.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp54848.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp78482.exe"
Fri 14 Mar 2008 16,520 ..SHR --- "C:\Program Files\tmp84731.exe"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Sun 16 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Mon 14 Jan 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Wed 4 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BITA.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT8.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BITC.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT7.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT8.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BITB.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT9.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITD.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT9.tmp"

Finished!
 
File/Folder C:\WINDOWS\Installer\{dee6851b-a492-48ec-881f-1bbe9aea5f43} not found.
File/Folder C:\WINDOWS\Installer\{41c95821-d9f1-49cf-914d-301550ad3e0f} not found.

OTMoveIt2 v1.0.20 log created on 03152008_221505


Should I ever do the cleanup process?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:59 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://www.ongamenet.com/p3test/p3instal.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDSignet Registration Service (IDRegSvr) - Unknown owner - C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 4209 bytes
 
Don't run the cleanup process yet, it's designed to remove the tools we've used and the backups that they've created. Only run it once all the malware is removed. SDFix has removed most of the infections, but still a bit more to go.

Please run OTMoveIt2 again
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    C:\Program Files\tmp112812.exe
C:\Program Files\tmp118560.exe
C:\Program Files\tmp120988692.exe
C:\Program Files\tmp120994581.exe
C:\Program Files\tmp164200157.exe
C:\Program Files\tmp49280.exe
C:\Program Files\tmp54848.exe
C:\Program Files\tmp78482.exe
C:\Program Files\tmp84731.exe
  • Return to OTMoveIt2, right click in the Paste Standard List of Files/Folders to be Moved window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. These results are also located at C:\_OTMoveIt\MovedFiles\Date_Time.log, where Date_Time is the date and time you ran OTMoveIt.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Kas-SaveReport-1.gif

Kas-Savetxt.gif

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Please post both the OTMoveIt2 report and the Kaspersky Online Scanner Report.
 
OK, unfortunately the Kaspersky online scanner doesn't remove what it finds, so without the log we'll need to run another online scan.


  • Using internet Explorer please go HERE to run BitDefender's Online scan.
  • Read the terms and then click I Agree
  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
  • On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
  • Once Bit Defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this please press the button that says view log and post that log in your next reply.
 
nvm, I ran it again and it worked this time.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 24, 2008 8:51:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 658588
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 35228
Number of viruses found: 16
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 05:55:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-6f435c83/BaaaaBaa.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-6f435c83 ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\My stuff\PC Fix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\My stuff\PC Fix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\My stuff\PC Fix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\tc4p2q3p.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008031720080324\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008032420080325\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080119-233416-292.dll Infected: not-a-virus:AdWare.Win32.BHO.uq skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080119-233416-863.dll Infected: Trojan-Downloader.Win32.Zlob.gfo skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080119-233442-571.dll Infected: Trojan-Downloader.Win32.Zlob.gfo skipped
C:\QooBox\Quarantine\C\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll.vir Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\QooBox\Quarantine\C\WINDOWS\alofkmn.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.agc skipped
C:\QooBox\Quarantine\C\WINDOWS\bxlrvps.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.brg skipped
C:\QooBox\Quarantine\C\WINDOWS\dgtxrdfrmw.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.brh skipped
C:\QooBox\Quarantine\C\WINDOWS\ekvgsnw.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.bri skipped
C:\QooBox\Quarantine\C\WINDOWS\fkxvkns.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.brk skipped
C:\QooBox\Quarantine\C\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll.vir Infected: Trojan-Downloader.Win32.Agent.jnw skipped
C:\SDFix\backups\backups.zip/backups/antiviirus.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\SDFix\backups\backups.zip/backups/bokpkov.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cqh skipped
C:\SDFix\backups\backups.zip/backups/fmsxwqs.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cqh skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067804.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067805.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067806.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067807.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cqh skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067808.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cqh skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067812.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067813.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cqh skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP310\A0067814.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cqh skipped
C:\System Volume Information\_restore{DFF0EF03-509E-470F-B3A3-5F731C5FE7CF}\RP316\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\03082008_235556\WINDOWS\system32\shlahsd.dll Infected: Trojan-Downloader.Win32.Bojo.af skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp112812.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp118560.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp120988692.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp120994581.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp164200157.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp49280.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp54848.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp78482.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped
C:\_OTMoveIt\MovedFiles\03232008_162943\Program Files\tmp84731.exe Infected: Trojan-Dropper.Win32.Agent.fwi skipped

Scan process completed.
 
Excellent, only one item left in your cache, which is easily removed - the others are all backups created by the tools we've used, and some infected System Restore points.

Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please click on Start -> Run. Type ComboFix /u and click OK.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created as well as the program itself.

Please run OTMoveIt2 again and click the CleanUp! button. That will remove the backups that the other programs we've used have created, as well as the programs themselves.

Please also turn off System Restore, and turn it back on again. This will clean out your infected Restore Points. To do so:

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Then to turn it back on again:
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it:
    javaicon.gif

    Select it and click Remove.
  • Then Download and install the newest version from here:

Any remaining problems?
 
You must log in or register to reply here.
Back
Top