[RatHat]

Hows the machine running now?

[Advertisements]

I'll have to scan with kaspersky again. Will take a long time, I'll update you asap.
Thanks, mate.

[btdcrazyj]

I'll have to scan with kaspersky again. Will take a long time, I'll update you asap.
Thanks, mate.

[btdcrazyj]

I just started scanning it's at 0%
but it already says
Number of viruses found: 1
Number of infected objects: 1

I can't get the log yet until the entire scan finishes.
So i guess it's not gone ?

Should I try that MoveIt thing like you told me to do on the laptop or will it delete necessary files needed to run the computer?

[RatHat]

No, lets have a look at what Kaspersky finds, it could be in the files that Combofix has quarantined, or in an old restore point, which is safe unless you use system restore. Later I'll show you how to clear all restore points so that old infected files are removed completely.

[btdcrazyj]

Here is my last kaspersky scan log. Seems to HAVE EVEN MORE INFECTED OBJECTS NOW! omgggggg
I'm going to bed now, I have school tomorrow. I'll check up for a reply tomorrow.
Thanks for being patient with me, appreciate it greatly.

KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 12:17:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 800751


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\_OTMoveIt\
C:\AllokMP3toAMRFolder\
C:\cmdcons\
C:\Documents and Settings\
C:\HammerAutosave\
C:\HJT\
C:\ICLASS\
C:\MSOCache\
C:\NVIDIA\
C:\Program Files\Academy\
C:\Program Files\Adobe\
C:\Program Files\Ahead\
C:\Program Files\AltoMP3 Gold\
C:\Program Files\Alwil Software\
C:\Program Files\Analog Devices\
C:\Program Files\ANI\
C:\Program Files\ASIO4ALL v2\
C:\Program Files\ASUS\
C:\Program Files\Audio Edit Magic\
C:\Program Files\CCleaner\
C:\Program Files\Common Files\
C:\Program Files\COMODO\
C:\Program Files\ComPlus Applications\
C:\Program Files\DIFX\
C:\Program Files\D-Link\
C:\Program Files\E-Color\
C:\Program Files\GameArena\
C:\Program Files\Google\
C:\Program Files\Hewlett-Packard\
C:\Program Files\HP\
C:\Program Files\Image-Line\
C:\Program Files\InstallShield Installation Information\
C:\Program Files\Intel\
C:\Program Files\Internet Explorer\
C:\Program Files\iPod\
C:\Program Files\Java\
C:\Program Files\Lavasoft\
C:\Program Files\LimeWire\
C:\Program Files\Logitech\
C:\Program Files\Macromedia\
C:\Program Files\Messenger\
C:\Program Files\Messenger Plus! Live\
C:\Program Files\microsoft frontpage\
C:\Program Files\Microsoft Office\
C:\Program Files\Microsoft Visual Studio\
C:\Program Files\Microsoft Works\
C:\Program Files\Microsoft.NET\
C:\Program Files\MIKSOFT\
C:\Program Files\Movie Maker\
C:\Program Files\Mozilla Firefox\
C:\Program Files\MSBuild\
C:\Program Files\MSN\
C:\Program Files\MSN Gaming Zone\
C:\Program Files\MSN Messenger\
C:\Program Files\NetMeeting\
C:\Program Files\Nokia\
C:\Program Files\Online Services\
C:\Program Files\Outlook Express\
C:\Program Files\QuickTime\
C:\Program Files\SystemRequirementsLab\
C:\Program Files\Trend Micro\
C:\Program Files\Uninstall Information\
C:\Program Files\utorrent\
C:\Program Files\Ventrilo\
C:\Program Files\VideoLAN\
C:\Program Files\VstPlugins\
C:\Program Files\Warcraft III\
C:\Program Files\Web Publish\
C:\Program Files\Windows Journal Viewer\
C:\Program Files\Windows Live\
C:\Program Files\Windows Media Player\
C:\Program Files\Windows NT\
C:\Program Files\WindowsUpdate\
C:\Program Files\WinRAR\
C:\Program Files\xerox\
C:\QooBox\
C:\System Volume Information\
C:\WINDOWS\

Scan Statistics
Total number of scanned objects 81553
Number of viruses found 3
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 01:08:27

Infected Object Name Virus Name Last Action
C:\_OTMoveIt\MovedFiles\05252008_231317\AutoRun.inf Infected: Trojan.Win32.Agent.abt skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\fou\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\fou\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\fou\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\fou\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\fou\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\fou\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped

C:\Documents and Settings\fou\Local Settings\Temporary Internet Files\Content.IE5\74LI7Z8W\SUPERAntiSpyware[1].exe Object is locked skipped

C:\Documents and Settings\fou\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\fou\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\fou\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\chandir.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\chandir.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\chn.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\chn.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\inuse.txt Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\L0000002.FCS Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\main.log Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_die.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_die.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\storydb.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\fou\Data\storydb.idx Object is locked skipped

C:\QooBox\Quarantine\C\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL.vir Infected: not-a-virus:AdWare.Win32.MySearch.i skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP391\A0137532.inf Infected: Trojan.Win32.Agent.abt skipped

C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP394\A0138579.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP395\A0138602.DLL Infected: not-a-virus:AdWare.Win32.MySearch.i skipped

C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP395\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{18753391-B041-421C-8F1C-75872217EB3C}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{816CAFE6-9FB6-48CF-B56E-51199131ED6B}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_630.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_76c.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[RatHat]

Not so sure about that log, did you scan the complete computer? As it is it is only showing quarantined objects.

OK, first thing lets get rid of the P2P programs via your Add/Remove programs function. Get rid of Limewire, uTorrent and any others you may have.

Next, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Just noticed that you have enrolled in GeekU. Well done! This will be a great hands on experience for you which will help you with your studies in GeekU. I teach a couple of the upper class logs, so I'll see you there

Regards,
RatHat

[btdcrazyj]

That was a Kaspersky Online Scanner log, and it scanned my C drive as it would take too long last night to also scan my D drive because I have 2 seperate drives. But my D drive is full of word documents, pictures and music.
I already removed all IRC UTORRENT AND LIMEWIRE last night =)
I'll get back to you as soon as I do the next steps.

Thanks, mate.
Jason.

[RatHat]

OK, when you run DrWeb, make sure you connect your D:\ Drive, as some documents, pictures and music can carry malware without you knowing, especially, downloaded files.

Regards,
RatHat

[btdcrazyj]

I can't get it to boot in safe mode, when I do the f8 thing, the computer takes me to a black screen to choose from either my floppy drive, c drive, or cd drive.
But there is no option to boot in safe mode and it's not the safe mode options creen that has start windows normally, boot in safe mode etc;
Any ideas?

[RatHat]

Allow the computer to get to the initial start screen, and you should have the option to boot into either the Recovery Console, or Windows XP.

Highlight Windows XP, then hit the F8 key.

Let me know if you now get into safe mode.

Regards,
RatHat

[btdcrazyj]

There are only options to restart, shut down and, stand by in the log in screen after windows has loaded.
Can I create a boot up disk with a floppy disk ?

[RatHat]

Can you boot normally, and run DrWeb from there first.

[RatHat]

When that is complete, please download Safe Boot Key Repair to your Desktop.

Double click SafeBootKeyRepair.exe to run the program, then follow the prompts.

Please post me the log it produces.

[btdcrazyj]

Here is my DrWeb log.

A0137532.inf;C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP391;Win32.HLLW.Cent;Deleted.;
A0138546.EXE;C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP394;Program.PsExec.170;Incurable.Moved.;
A0138579.exe;C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP394;Program.mIRC.623;Incurable.Moved.;
A0138606.EXE;C:\System Volume Information\_restore{F889474A-5792-4940-A9F9-AEC99F54CFF9}\RP395;Program.PsExec.170;Incurable.Moved.;
AutoRun.inf;C:\_OTMoveIt\MovedFiles\05252008_231317;Win32.HLLW.Cent;Deleted.;

[RatHat]

Good! Looks like you are clear. Now could you run SafeBootKeyRepair.exe, save the log to your desktop, then see if you can boot into Safe Mode.

Once back in normal windows, post me the SafeBootKeyRepair log, and let me know if you were able to access Safe Mode.