HELP ! Can someone please help w/Alcan worm ? [RESOLVED]

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

2 Pages

1 2 >

HELP ! Can someone please help w/Alcan worm ? [RESOLVED]

Options

wyldkatt View Member Profile	Aug 31 2007, 09:00 AM Post #1
Member Posts: 39 OS: XP PRO	Hello People-- Well, this is the 3rd time I've tried to make this post.. I have 2 problems that I'm aware of.....and I know nothing at all about computers... I'm working with a desktop-using XP PRO.. Problem #1 ---- computer says Windows doesn't approve of my Motorola Cable Modem ?? so I can't seem to get my internet connection,thus unable to HJT... Problem #2 ---- 49% of the way thru the defrag scan, message says task was stopped due to an error in C:\WINDOWS\Tasks\sa.dat From what I've read in this forum so far,it seems that it is the Alcan thingy..A friend called this the WEB MD for computers. I'm hoping some of you "data doctors" out there have the CURE.. Thanks in advance to everyone....... ~wyldkatt~

Rorschach112 View Member Profile	Sep 4 2007, 05:07 PM Post #2
GeekU Teacher Posts: 19,220 From: Dublin OS: XP	Hello wyldkatt, sorry for the delay. My name is Rorschach and I'll be helping you with your problems. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Rorschach112 View Member Profile	Sep 5 2007, 08:14 AM Post #4
GeekU Teacher Posts: 19,220 From: Dublin OS: XP	Hello wyldkatt Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection: Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye). Click on "Security Agents Status". Click on "Disable real-time protection". Next, open Microsoft Anti-Spyware. Click on the Options menu, then Settings. Select "Real Time Protection" from the left column. Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection". Click the Save button. Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up. You can reenable it once your system is clean. We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx Apply the update and reboot your PC. Download win32delfkil.exe. Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil. Close all windows, open the win32delfkil folder and double click on fix.bat. The computer will reboot automatically. Post the contents of the logfile c\windelf.txt, along with a new hijackhislog.

wyldkatt View Member Profile	Sep 5 2007, 11:13 AM Post #5
Member Posts: 39 OS: XP PRO	hi Rorschach112-- I just knew this wasn't gonna be easy...1st off..there is no MSAS icon anymore...i remember uninstalling it before...I searched thru the programs, and what I found was Cox anti-spyware and pop-up blocker.... Sorry----Hope that patience thing is working.....LOL Wyld...

Rorschach112 View Member Profile	Sep 5 2007, 11:22 AM Post #6
GeekU Teacher Posts: 19,220 From: Dublin OS: XP	Don't worry about that, can you please continue on with the rest of the instructions.

wyldkatt View Member Profile	Sep 5 2007, 12:51 PM Post #7
Member Posts: 39 OS: XP PRO	this is really starting to suck...the MS site won't validate my windows..and, "don't know what a slide ruler's for.... but apparently, the fan for the power source is out and I have to shut down and let it cool off before I can give her another go...you must have drawn the short straw R.....lol see ya in a while..........

Rorschach112 View Member Profile	Sep 5 2007, 01:08 PM Post #8
GeekU Teacher Posts: 19,220 From: Dublin OS: XP	We can leave that till later, the more important thing is if you do the last step concerning win32delfkil.exe.

wyldkatt View Member Profile	Sep 5 2007, 01:45 PM Post #9
Member Posts: 39 OS: XP PRO	hope this is what you want...don't believe I downloaded HJT tho...sorry WIN32DELFKIL LOGFILE - by Marckie version 3.130 Wed 09/05/2007 12:42:55.97 running from: "C:\Documents and Settings\Susan\Desktop" --- File(s) found in Windows directory --- --- File(s) found in system32 folder --- --- Services --- --- Export SharedTaskScheduler key --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" --- Notify key --- --- rebooting the computer --- --- File(s) found in Windows directory --- --- File(s) found in system32 folder --- --- Services --- --- Export SharedTaskSchedulerkey --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" --- Notify key --- Finished!

Rorschach112 View Member Profile	Sep 5 2007, 02:20 PM Post #10
GeekU Teacher Posts: 19,220 From: Dublin OS: XP	Ok do the following 1. Please re-open HiJackThis(DSS) and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present): R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [atiupdate] C:\DOCUME~1\Susan\LOCALS~1\Temp\msshed32.exe 2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Please download OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\FOUND.000 C:\WINDOWS\System32\mirindaspk.exe C:\WINDOWS\System32\msshed32.exe C:\DOCUME~1\Susan\LOCALS~1\Temp\msshed32.exe Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button. Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum. Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\******_**.log (where "****_**" is the "date_time") Click "Exit" to close OTMoveIt. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit** on the Main menu to close the program. * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Double click the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. So in your next reply please post the following : a new DSS log, the OTMoveIt results, the Dr. Web Cureit report, and tell me how your PC is running now and if you had any problems.

wyldkatt View Member Profile	Sep 5 2007, 10:49 PM Post #11
Member Posts: 39 OS: XP PRO	okay Rorschach112--- I'll see if I got this right..1st you wanted a new DSS..here goes.. Deckard's System Scanner v20070826.66 Run by Susan on 2007-09-05 21:18:42 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 128 MiB (512 MiB recommended). -- HijackThis (run as Susan.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:18:47 PM, on 9/5/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\CConnect\CConnect.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Susan\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Susan.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...H+D+lnwQoZegDPd R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [AuthConsoleStart] C:\Program Files\Cox\Applications\app\cox.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 O4 - HKUS\S-1-5-21-436374069-1078145449-854245398-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-21-436374069-1078145449-854245398-1003\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 (User '?') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-18\..\RunOnce: [Winsock2 driver] EXPLORER.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Winsock2 driver] EXPLORER.EXE (User 'Default user') O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189017241173 O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe -- End of file - 4581 bytes -- Files created between 2007-08-05 and 2007-09-05 ----------------------------- 2007-09-05 19:25:10 0 d-------- C:\Documents and Settings\Susan\DoctorWeb 2007-09-05 18:52:18 0 d--hs---- C:\FOUND.001 2007-09-05 18:14:13 0 d-------- C:\Program Files\Trend Micro 2007-09-05 12:42:56 0 d-------- C:\_backupD 2007-09-05 12:42:39 16384 --a------ C:\WINDOWS\System32\restart.exe <Not Verified; WareSoft Software; restart> 2007-09-05 12:42:39 90112 --a------ C:\WINDOWS\System32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools> 2007-09-05 12:42:39 4096 --a------ C:\WINDOWS\System32\reboot.exe 2007-09-05 12:42:39 53248 --a------ C:\WINDOWS\System32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2007-09-05 12:42:39 280230 --a------ C:\win32delfkil.exe <WIN32D~1.EXE> <Not Verified; Marckie; > 2007-09-05 12:42:38 0 d-------- C:\WINDOWS\System32\regdacl 2007-09-05 11:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage 2007-09-05 06:30:39 599706 --a------ C:\dss.exe 2007-09-05 06:25:30 0 d-------- C:\WINDOWS\System32\SoftwareDistribution 2007-08-29 06:23:10 274432 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT 2007-08-29 06:23:10 0 d--h----- C:\Documents and Settings\TEMP\Local Settings 2007-08-29 06:23:10 0 d---s---- C:\Documents and Settings\TEMP\Cookies 2007-08-29 06:23:10 0 d-------- C:\Documents and Settings\TEMP\Application Data 2007-08-29 06:23:10 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft 2007-08-29 05:34:32 0 d-------- C:\Documents and Settings\Brandon\Application Data\AdobeUM 2007-08-29 05:15:52 0 d-------- C:\Documents and Settings\Brandon\Application Data\Adobe -- Find3M Report --------------------------------------------------------------- 2007-08-29 06:09:02 1632 --a------ C:\WINDOWS\System32\d3d8caps.dat -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [10/18/2001 01:37 PM] "tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/07/2001 03:50 AM] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [] "LexStart"="" [] "AuthConsoleStart"="C:\Program Files\Cox\Applications\app\cox.exe" [09/30/2004 05:01 PM] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM] "Cmaudio"="cmicnfg.cpl" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/02/2001 07:14 AM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "Winsock2 driver"=EXPLORER.EXE [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ CorrectConnect.lnk - C:\Program Files\CConnect\CConnect.exe [1/31/2002 7:07:32 PM] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 5:05:56 AM] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM] -- End of Deckard's System Scanner: finished at 2007-09-05 21:19:12 ------------ Awesome!!! Allright, now we'll go for the OT MoveIt results........ File/Folder C:\FOUND.000 not found. File/Folder C:\WINDOWS\System32\mirindaspk.exe not found. File/Folder C:\WINDOWS\System32\msshed32.exe not found. File/Folder C:\DOCUME~1\Susan\LOCALS~1\Temp\msshed32.exe not found. Cool.... I'm really liking this....Now for DR WEB... tgcmd.exe;c:\program files\support.com\bin;Probably DLOADER.Trojan;; process.exe;C:\WINDOWS\system32;Tool.Prockill;; tgcmd.exe;c:\program files\support.com\bin;Probably DLOADER.Trojan;; msshed32.exe;C:\Deckard\System Scanner\20070905181202\backup\DOCUME~1\Susan\LOCALS~1\Temp;Trojan.DownLoader.5849;Deleted.; atiupdate.exe;C:\Deckard\System Scanner\20070905181202\backup\DOCUME~1\Susan\LOCALS~1\Temp;Trojan.DownLoader.5849;Deleted.; florida disclosures pg 1.eml;C:\Documents and Settings\All Users\Documents;Win32.HLLW.Nimda.57344;Incurable.Moved.; mega b matrix 2.eml;C:\Documents and Settings\All Users\Documents\My Pictures;Win32.HLLW.Nimda.57344;Incurable.Moved.; credit approval letter.eml;C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures;Win32.HLLW.Nimda.57344;Incurable.Moved.; virtualbankunderwritingguidelinesver1[1].eml;C:\Documents and Settings\All Users\Documents\My Music;Win32.HLLW.Nimda.57344;Incurable.Moved.; sdcmon.dll;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;; tgcmd.exe;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;; tgupdate.exe;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;; 53C76049-2DFB-4972-9097-CD8485;C:\Program Files\Microsoft AntiSpyware\Quarantine\4C01B2B7-B463-47B5-A643-902635;Adware.TSAdvert;; 3CCB9870-CB46-4305-A5A7-709D0A;C:\Program Files\Microsoft AntiSpyware\Quarantine\4C01B2B7-B463-47B5-A643-902635;Adware.TimeSink;; E1D9DE42-CE4F-48F7-9D60-1BA9C5;C:\Program Files\Microsoft AntiSpyware\Quarantine\4C01B2B7-B463-47B5-A643-902635;Adware.TSAdvert;; 538D13D9-7CAA-48D4-9EE8-36E90C;C:\Program Files\Microsoft AntiSpyware\Quarantine\4C01B2B7-B463-47B5-A643-902635;Adware.TSAdvert;; A0088181.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1200;Trojan.DownLoader.5849;Deleted.; A0088182.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1200;Trojan.DownLoader.5849;Deleted.; A0077293.exe\data002;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194\A0077293.exe;Adware.TSAdvert;; A0077293.exe\data003;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194\A0077293.exe;Adware.TSAdvert;; A0077293.exe\data004;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194\A0077293.exe;Adware.TimeSink;; A0077293.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Archive contains infected objects;Moved.; A0077300.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Modification of BackDoor.Generic.1360;Moved.; A0077302.reg;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Trojan.StartPage.1505;Deleted.; A0077310.dll;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Adware.Starware;; A0077322.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Modification of BackDoor.Generic.1360;Moved.; A0077324.reg;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Trojan.StartPage.1505;Deleted.; A0077329.exe\data001;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194\A0077329.exe;Adware.TSAdvert;; A0077329.exe\data002;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194\A0077329.exe;Adware.TSAdvert;; A0077329.exe\data003;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194\A0077329.exe;Adware.TimeSink;; A0077329.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Archive contains infected objects;Moved.; A0084122.exe;C:\System Volume Information\_restore{0AB74DF5-36A0-4973-8806-D656904302B9}\RP1194;Trojan.MulDrop.1388;Deleted.; msshed32.exe;C:\_OTMoveIt\MovedFiles\WINDOWS\System32;Trojan.DownLoader.5849;Deleted.; Your instructions along with your patience has been impeccable Rorschach112....a little concerned about words like "INCURABLE" though...lol...System seems to be a little faster..probably won't see full effects of repairs till I install new fan...Will try to do that by the time that you return, to give you an update..I believe I can do the fan install myself,maybe...And how about the six items I have showing on the desktop, will I be able to remove them at some time ?? Please let me know if I need to do anything else after reviewing..TYVM..

Rorschach112 View Member Profile	Sep 6 2007, 08:11 AM Post #12
GeekU Teacher Posts: 19,220 From: Dublin OS: XP	Hello again We need to do a little more work unfortunately. Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. So in your next reply I need to see the following : the SDFix report, a new DSS log, and tell me how your PC is running now and if you had any problems.

wyldkatt

Sep 6 2007, 07:07 PM

Post #13

Member

Posts: 39
OS: XP PRO

Sorry Rorschach112---
Been a hectic day....Well friend, here's the SDFix report....

SDFix: Version 1.102

Run by Susan on Thu 09/06/2007 at 05:49 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Susan\Desktop\NEWFOL~1\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\keylog.txt - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\Susan\Desktop\NEWFOL~1\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\system32\drivers\NetMotCM.sys
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL0751.tmp
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL1866.tmp
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL0900.tmp
C:\Documents and Settings\Susan\Application Data\Microsoft\Word\~WRL3390.t