Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need help removing darksma!

Started by lebana , Jul 29 2007 01:37 PM

Please log in to reply

#16
Stamper19

Posted 06 August 2007 - 07:18 AM

Expert

Expert
1,992 posts

Hi lebana,

Happy to hear things are running better. We are almost done. We do have to deal with one infected file. Being as this file is actually a system file, there will be two steps. First we will delete the corrupted file, and then we will reinstall the microsoft .Net framework, which will create a fresh file on the system.

Also, were you able to find and delete C:\WINDOWS\geeffc.dll as instructed in my previous post?

----------------------------------------------------------------

Lets delete some ill mannered files.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\ServicePackFiles\i386\installutil.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum. Reboot into Normal Mode.

----------------------------------------------------------------

Lets reinstall the microsft .Net Framework..

Please download the .Net Framework here.
Save the installation file to a location on your hard drive.
When the download is complete, locate the installation file on your hard drive and double click it to install.
Follow any on screen instructions during the installation process.

----------------------------------------------------------------

Information to include in your next post:

OT MoveIt Report
Let me know about C:\WINDOWS\geeffc.dll as I mentioned above.
Let me know how the computer is still running well .

#17
lebana

Posted 06 August 2007 - 06:50 PM

Member

Topic Starter
Member
19 posts

Hi! I did find C:\WINDOWS\geeffc.dll. All I had to do was find it, right click on it and delete it, right?

I did the OTMoveIt steps twice because the first time I did it I followed your steps and well your steps said to click move it and the close OTMoveIt so that's what I did. Then I kept reading and well you wante the results, but the second results obviously weren't the same. The second results were:

File/Folder C:\WINDOWS\ServicePackFiles\i386\installutil.exe not found.

Created on 08/06/2007 18:52:40

The first time I did it though it said moved at the end.

I reinstalled the microsoft Frame. network. Or well at least I think I did because I did what you told me too and then it started downloading and then it just disappeared nothing else happened.

My computer has been running pretty well except for when I first turn it on and get to my desktop a whole bunch of missing files appear. I have to click ok on them, but other than that it's doing pretty well.

#18
lebana

Posted 06 August 2007 - 09:33 PM

Member

Topic Starter
Member
19 posts

Hey, umm... unfortunately there is something wrong with my computer. It doesn't want to start properly. After I "downloaded" the microsoft Frame. network I turned off the computer because some of the programs I wanted to open wouldn't open like for example adobe reader and microsoft word, so I decided to turn it off. Problem being that it never turned off. It seemed like it was going to turn off but then it restarted by its self. It kept doing that over and over again but it would really only restarted half way because it would never get to my desktop. Hoping that if it would turn off for a while it would go back to normal, I turn it off manually by switching the off switch in the back of the cpu. When I switched it back on it would still do the same thing. So when it restarted once again I press F8 several times and I choose the disable restart when system failure or something like that. So when it restarted a blue screen came on saying that it couldn't start because there was a fatal system error or failure. Then I turned it off and turned it on again. I put it on safe mode hoping that would work and it did turn on to the desktop and the I tried restoring it with system restore to the time before I downloaded the program but that didn't work. So then I tried restoring it to yesterday to see it that would do the trick but not even that worked. I tried using the internet in safe mode but it would let me. So now I'm writing to you in Safe Mode with Networking. I'm not sure what in the world happened to my computer but I have a feeling it had something to do with the file path I move with OTMoveIt and what I downloaded. I need help!!!!!!!!

Sorry for all the writing but I figured I should explain to you in detail what happened!

#19
Stamper19

Posted 07 August 2007 - 08:21 AM

Expert

Expert
1,992 posts

Hi lebana,

Do you have your Windows XP CD?

Lets try to figure out if this is malware related or Windows related. Then we can decide on a course of action.

Please scan again with Deckard's System Scanner (DSS), however this time we will run it a bit differently

Go to Start >> Run and paste the following line, and then press "OK":

"%userprofile%\desktop\dss.exe" /config
Click Check All and then Scan.
The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

#20
lebana

Posted 07 August 2007 - 03:18 PM

Member

Topic Starter
Member
19 posts

The file path for the dss didn't work. The computer didn't find it. I tried downloading the microsoft. net frame again because like I said before I think it didn't download properly the first time. Problem being that I couldn't because " The Windows Installer package: C:\Documents and Settings\Luis Dominguez\Local Settings\Tem\SIT35884.tmp\vs_setup.msi could not be opened".

#21
Stamper19

Posted 07 August 2007 - 04:43 PM

Expert

Expert
1,992 posts

Hi lebana,

We are going to run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.

#22
lebana

Posted 07 August 2007 - 09:34 PM

Member

Topic Starter
Member
19 posts

Nothing happened when I put in sfc \scannow. A box quickly appears for like half a second and the it disappears and nothing happens after that. Remember that I am in Safe Mode with Networking.

#23
Stamper19

Posted 08 August 2007 - 06:28 AM

Expert

Expert
1,992 posts

Hi lebana,

Remember that I am in Safe Mode with Networking.

Everything we have tried should work in Safe Mode with Networking :whistling:

As a side note, try to avoid Safe Mode with Networking as much as possiblel When in that mode you have no defense against malware, as AntiVirus and AntiSpyware programs are not runnning. Use it when you must, but please keep in mind that it poses a high risk of infection.

Please post a fresh HiJack This log. We need to determine whether these issues are malware or windows related. Do the scan in safe mode if necessary.

#24
lebana

Posted 08 August 2007 - 10:28 AM

Member

Topic Starter
Member
19 posts

Hi, well I have to run in Safe Mode with Networking because that's the only way that my computer runs. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:20 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AutoRun] "E:\AUTORUN\AutoRun.exe" "/12"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [EvidenceEraser] C:\Program Files\EvidenceEraser\EvidenceEraser.exe -boot
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#25
Stamper19

Posted 08 August 2007 - 12:12 PM

Expert

Expert
1,992 posts

Hi lebana,

well I have to run in Safe Mode with Networking because that's the only way that my computer runs.

The computer also runs in Safe Mode without Networking, correct? You should use that Mode as much as possible and only use Safe Mode with Networking when you absolutely must access the internet. In regular Safe Mode you will not have access to the internet, however you will not be at risk of further infection either. In Safe Mode with Networking you are completely open to new infection.

Also, please do not download anything other than what is instructed during the course of the fix. Doing so can cause confusion and prolong the fixing process. I know this is a bit frustrating, but do try to hang in there. We are slowly whittling away at the problem.

----------------------------------------------------------------

Lets try to start the computer using the Last Known Good Configuration

How to start your computer by using the Last Known Good Configuration feature:

To start your computer by using the Last Known Good Configuration feature, follow these steps:

Start your computer.
When you see the "Please select the operating system to start" message, press the F8 key.
When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.
If you are running other operating systems on your computer, use the ARROW keys to select Microsoft Windows XP, and then press ENTER.

#26
lebana

Posted 08 August 2007 - 02:46 PM

Member

Topic Starter
Member
19 posts

Hi! I've already tried restarting my computer to the Last Known Good Configuration several times but nothing happens. My computer doesn't start. Well it only restarts half way then it turns off and so forth.

#27
Stamper19

Posted 08 August 2007 - 07:55 PM

Expert

Expert
1,992 posts

Hi lebana,

Good job working through everything. Lets try again to determine if this is malware related.

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#28
lebana

Posted 08 August 2007 - 10:36 PM

Member

Topic Starter
Member
19 posts

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 11:31:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/08/2007
Kaspersky Anti-Virus database records: 377335

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 96282
Number of viruses found 23
Number of infected objects 85
Number of suspicious objects 1
Duration of the scan process 01:42:28

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Local Settings\History\History.IE5\MSHist012007080820070809\index.dat Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Local Settings\Temporary Internet Files\Content.IE5\GH6VW9MZ\UserStatusChange[7].html Object is locked skipped

C:\Documents and Settings\Luis Dominguez\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Luis Dominguez\ntuser.dat Object is locked skipped

C:\Documents and Settings\Luis Dominguez\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp Infected: Trojan-Spy.Win32.BZub.js skipped

C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB.tmp Suspicious: Packed.Win32.Morphine.a skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp12.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp1B.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp24.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp33.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp3C.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp4A.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp54.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp7.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmp8.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\LUISDO~1\APPLIC~1\tmpB.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir Infected: Trojan.Win32.Small.oa skipped

C:\QooBox\Quarantine\C\Program Files\WinPop\winpop.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.c skipped

C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.c skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ltimntz.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped

C:\QooBox\Quarantine\C\WINDOWS\tutqpo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP403\A0034507.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP403\A0034541.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP404\A0034560.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP404\A0034597.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034611.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034614.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034617.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034620.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034623.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034627.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034630.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034632.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034633.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034636.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034648.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034653.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034654.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034655.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034656.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034658.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034659.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034660.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034661.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034662.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034663.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034664.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034665.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034667.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034668.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034670.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034671.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034672.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034674.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034675.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034676.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034677.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034678.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034679.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034680.exe Infected: Trojan.Win32.Small.oa skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034681.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034682.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034683.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034687.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP405\A0034779.exe Infected: Trojan-Downloader.Win32.Tiny.fl skipped

C:\System Volume Information\_restore{68C7C69F-5E5E-4284-89AA-7167727E890B}\RP421\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\ServicePackFiles\i386\installutil.exe Infected: Virus.Win32.Sality.o skipped

Scan process completed.

#29
Stamper19

Posted 09 August 2007 - 03:22 PM

Expert

Expert
1,992 posts

Hi lebana,

After looking at the logs, it would appear that this is a Windows issue and not a Malware issue. So, given that a few things we've tried havent worked, we are going to use Windows built in Repair feature to fix your installation of windows.

Please thoroughly read, and carefully follow all the steps outlined here to perform the Windows repair. The instructions are quite detailed and rather easy to follow, but again I must stress that you should read everything carefully.

Post back when the repair is complete and let me know if there is any improvement.

Stamper