Solved: Virus Heat and the 'Blue screen of death'

Dardalion · 24-Mar-2008, 08:47 AM #1

Hello,

I'm sure i've accidently downloaded a version of 'Virus heat' as decribed by a lot of other people, but i have a few different twists to your other posters and am unable to tell which version i have, and the best way to remove it permanently.

i also get the "shield" pop ups and virus warnings as well as being unable to download anything at all. Luckily for me, i have used this wonderful site before and have some of the programs to help in this situation.

my added twist to this is that i also experience the "blue screen of death" with the following message:

"A problem has been detected and windows has been shutdown to prevent damage to your computer.

A Driver has overrun a stack-based buffer. This overrun could potentially allow a maicious user to gain control of this machine.

Technical information
***STOP: 0X000000F7 (0X00000072, 0X0000B7A4, 0XFFFF485B, 0X00000000)

This has stopped me being able to do Panda Scans (which i used last time) i also seem to be able to use them computer longer if i log into a different user (one i never use) and then use "hijackthis and smitFraudFix" thier reports are below. (note: does different user alter the reports?)

Thanks for you help in advance, i really need this computer fixed so i can get back to my uni work and definately willing to donate!

******************

SmitFraudFix v2.110

Scan done at 22:46:43.44, Mon 03/24/2008
Run from C:\Documents and Settings\Michael Matarazzo\Desktop\stuff\Malware fighters\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mister P

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mister P\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{7d7bd0c4-4913-4933-b870-7388a7bffb82}"="figpecker"

[HKEY_CLASSES_ROOT\CLSID\{7d7bd0c4-4913-4933-b870-7388a7bffb82}\InProcServer32]
@="C:\WINDOWS\system32\lvhjtsa.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7d7bd0c4-4913-4933-b870-7388a7bffb82}\InProcServer32]
@="C:\WINDOWS\system32\lvhjtsa.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

*************

Logfile of HijackThis v1.99.1
Scan saved at 10:47:15 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\Michael Matarazzo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - C:\Documents and Settings\Michael Matarazzo\7167490.dll (file missing)
O2 - BHO: (no name) - {6860A44B-5D3E-433D-A7B5-D517F810D0E7} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e404 helper - {DF47DD37-AC11-4A93-8E16-2B2364AF0897} - C:\Program Files\Helper\1206348167.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

-Thanks in advance for your help!

-Dardalion

**cybertech** · 25-Mar-2008, 03:38 PM #2

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

Please post the C:\rapport.txt and a new HJT log in your next reply.

Dardalion · 25-Mar-2008, 08:25 PM #3

hey Cyertech,

I did as you requested and rebooted into normal mode, i got the shield in the corner with the pop ups again. Then opened the internet to come to this site to post my reports and the system gave me another Blue Screen Of Death. (do you think the virus is causing the Blue screen or have i just slowly killed my computer off myself!?)

Once again im using another log in to acess the net, so i am attaching the reports as attachments.

-Thanks for all your help.

**cybertech** · 26-Mar-2008, 07:10 PM #4

The SmitFraudFix you ran is dated back to October 16, 2006. You need to download it again and run it again. This tool is updated very often and using an old version is not going to get the current infection.

Please post new logs after you have done that.

Dardalion · 26-Mar-2008, 08:05 PM #5

Hey cybertech,

Yeah it is an old version, but ever since getting Virus Heat i have been unable to download anything from the internet making this harder as i don't have another comp to work off. I'll try getting it some other ways.

i've been reading a lot of other posters with similar problems who have fixed it using the 'Malwarebytes Anit Malware 1.09' and also intend to download and use that as well.

Also in relation to the 'Blue screen of Death' system crash, i've read other posters removing/disabling the 'tdidrv32.sys' file within the Windows/System32 folder. I would ask for your help on how or even if i should do this as my computer crashes every time i try to do large scans of the computer using virus scanners, especially PandaScan or even browse certain sites (anti Virus Heat in particular) or even try using MSN!

**cybertech** · 26-Mar-2008, 08:15 PM #6

That is a trojan to be sure. Download SmitFraudFix to a floppy disk or thumb drive from another computer and proceed with running that. In addition download the new version of hijackthis.
Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.

If you want to run other things you have read go for it, but if you want my help please just stick with what I request.

Dardalion · 27-Mar-2008, 04:17 AM #7

Hey cybertech,

So i was able to download the needed programs and ran the Smitfraudfix (option 2) here are its log and also a new HJThis log. I've had no pop ups since i ran Smit.

im sorry if before it sounded like i wasn't going to listen to you or do anything without your permission, i never intened to do anything without you approving it first, i mean, you are the expert here! so yeah, sorry about that.

-Dardalion

**cybertech** · 27-Mar-2008, 01:13 PM #8

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press Enter
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Dardalion · 27-Mar-2008, 07:42 PM #9

Hey cybertech,

Did as you requested, here are the results.

**cybertech** · 28-Mar-2008, 11:07 AM **#10**

You have multiple infections and it may take a few different scanners to get it cleaned up.

Visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix along with a new HijackThis log.

Dardalion · 29-Mar-2008, 12:25 AM **#11**

Hey Cybertech,

Ran combo fix and well as hijackthis, here are thier logs.

**cybertech** · 29-Mar-2008, 02:06 PM **#12**

Run HJT again and put a check in the following:

O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)

Close all applications and browser windows before you click "fix checked".

Your Java is out of date. Use Secunia software inspector & update checker and remove all old versions from add/remove programs.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive and all other fixed drives..
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
Click Close to exit the program.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

Read the Requirements and Privacy statement, then select "Accept".
A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next".
Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
Click "OK".
Under "Select a target to scan", click on "My Computer".
When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!

Dardalion · 31-Mar-2008, 06:21 PM **#13**

Hey again,

took a while to figure out what i was doing and to make sure i was doing it right, i think i got it, let me know if you think i did something wrong or want me to redo something.

Here are the scan logs for HJT, SuperAnitSpy and Kaspersky.

*Kaspersky found a LOT of things infected... a little scary to have so many infected files on your computer and not know about them!

**cybertech** · 31-Mar-2008, 07:03 PM **#14**

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\Documents and Settings\Michael Matarazzo\Application Data\Sun\Java\Deployment\cache\6.0\14\74b5390e-50daa832
C:\Documents and Settings\Michael Matarazzo\Application Data\Sun\Java\Deployment\cache\6.0\14\74b5390e-779b6f81
C:\WINDOWS\mirod32.exe
C:\WINDOWS\svchost.d
C:\WINDOWS\svchost.ex

Return to OTMoveIt2, right click in the Paste Custom List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post with a new hijackthis log.

Let me know if you are still having problems.

Dardalion · 01-Apr-2008, 08:58 PM **#15**

ok i did the MoveIt and also a new HJT log. Not overly sure what you ment by having problems either with instructions or the comp itself, so i'll answer both! no problems with those instructions, *i'm still downloading updates for various things on my comp (eg java) as the downloads seem to take a while for me*, i have also had no problems of a 'virus/troj' nature for a few days now. no pop ups or changed browser and my internet is running smoothly as it ever did.

Do you think i'm good now or is there something still pressing you see that i have no idea about?

MoveIt2 Log

[Custom Input]
< C:\Documents and Settings\Michael Matarazzo\Application Data\Sun\Java\Deployment\cache\6.0\14\74b5390e-50daa832 >
C:\Documents and Settings\Michael Matarazzo\Application Data\Sun\Java\Deployment\cache\6.0\14\74b5390e-50daa832 moved successfully.
< C:\Documents and Settings\Michael Matarazzo\Application Data\Sun\Java\Deployment\cache\6.0\14\74b5390e-779b6f81 >
C:\Documents and Settings\Michael Matarazzo\Application Data\Sun\Java\Deployment\cache\6.0\14\74b5390e-779b6f81 moved successfully.
< C:\WINDOWS\mirod32.exe >
C:\WINDOWS\mirod32.exe moved successfully.
< C:\WINDOWS\svchost.d >
C:\WINDOWS\svchost.d moved successfully.
< C:\WINDOWS\svchost.ex >
C:\WINDOWS\svchost.ex moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04022008_105207

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)