Avast WEBforum
Other => Viruses and worms => Topic started by: cheekiat on November 07, 2008, 06:45:19 PM
-
Sorry, if i posted in the wrong format, i was going accordingly to : http://forum.avast.com/index.php?topic=14433.0
Question ( 1 ) : I was downloading a game, after that i restarted my computer and i saw msupdte.exe after that i google it, and found it was a virus, i tried scanning on Avast, and a online scanner, but it can't detect anything.
Question ( 2 ) : From a keygen website i guess.
Question ( 3 ) : Downloaded
Question ( 4 ) : C:\WINDOWS\system32\msupdte.exe
Question ( 5 ) : Nothing came out.
Question ( 6 ) :Scanned, nothing happens.
Question ( 7 ) : I used that website to scan, but can't detect anything either.
Question ( 8 ) : This is the first forum i tried.
Question ( 9 ) : Done
Question ( 10 ) : Okay.
-
log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:03 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\spoolsv.exe
C:\FRAPS\FRAPS.EXE
C:\xampp\apache\bin\apache.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/welcome/thinkcentre
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] meaukd.exe
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkcentre
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
--
End of file - 9234 bytes
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If multiple scanners detect it but not avast, send the sample to avast.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic, the URL for the virustotal results page might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
-
I am using superantispyware to find any trojans or virus now.
I will try your method, should i delete off msupdte.exe ?
or i should try your solution creating a folder ' suspect ' move the file inside, then go standard shield and block it?
-
I am using superantispyware to find any trojans or virus now.
I will try your method, should i delete off msupdte.exe ?
or i should try your solution creating a folder ' suspect ' move the file inside, then go standard shield and block it?
If Superantispyware confirms the infection, go ahead, send it to avast Chest. Seems, indeed an infected file.
-
Scanned, no harmful detected.
what next ? :x
-
I tried what david told ,e to go virus total, i scanned and got the report.
MD5: 67831a178f6428db2ed8d2b5dd0a38ec
First received: 06.04.2007 00:15:21 (CET)
Date: 11.05.2008 03:14:31 (CET) [>2D]
Results: 0/36
Permalink: http://www.virustotal.com/analisis/bd2f2ca5293b5487d342a9243f66add6
-
This upload you made to VT is different to the msupdte.exe in your first post ???
This link is for Macromedia_Flash_player.exe, so I'm guessing that VT said this had already been scanned (received on 11.05.2008) this is an eternity in virus terms. So you should always have the upload scanned again, as that set of results is over 6 months old and basically worthless.
Edit: I assumed Date was UK date format which is day month year, if month, day, year then no it isn't old.
So I would say you need to upload this again and have it scanned copy the URL from the address bar when the scan is complete. Make a not of the size of the file on your HDD it should match the size of the reported size in the results.
-
i tried again and it gimmie shockwave :@
-
ahh, here !
http://www.virustotal.com/analisis/e6996610feb15391a31a1177c2c69819
-
That one is also a previous scan, you must have it scan the file 'you' upload again and not simply copy the old scan information, this one being 4 months old.
VirusTotal will recognise if it has scanned this before but you must click the 'Reanalyse file now' button (see image) so that it scan the that 'you' and not someone else uploaded.
After 4 months many AVs could now detect it or perhaps not, but we need the most recent information and that means reanalysing the file.
Edit: I assumed Date was UK date format which is day month year, if month, day, year then no it isn't old.
-
That one is also a previous scan, you must have it scan the file 'you' upload again and not simply copy the old scan information, this one being 4 months old.
VirusTotal will recognise if it has scanned this before but you must click the 'Reanalyse file now' button (see image) so that it scan the that 'you' and not someone else uploaded.
After 4 months many AVs could now detect it or perhaps not, but we need the most recent information and that means reanalysing the file.
Ok, I,m a little confused ( slightly drunk ) Is the result 4 months old ? 11/07/2008 Is that not today.Also the files, for msupdte and Flash_player.exe ,are they not the same ?They have the same MD5, and file size.Please remind me never to post, when I have been drinking ;D ;D ;D
-
Your not drunk or seeing double, but I night have been ;D
I assumed Date was UK date format which is day month year, if month, day, year then no it isn't old.
Yes md5s can be the same but have different file name, which to me is suspicious as to me I don't see a legit reason to do that and more suspicious when both differently dated scans show no infection.
So this is a strange one and is still suspicious to me and the multiple google hits that think this malware seem to confirm that suspicion.
-
Yes,very odd,also there is a HJT entry Unknown
O4 - HKCU\..\Run: [Microsoft Update Machine] meaukd.exe, that is unusual.I was very surprised by the VT result.Off to bed now
-
:x, so what should i do now ? >.<
-
What's also strange, I know of nothing good that uses Microsoft Update Machine. Maybe a new one.
-
:s
Lets start this over again
LOG //
I already did that you guys told me , create a folder call Suspect, then go to avast -> Standard shield -> etcetc.
I locked up msupdte.exe @ Avast Chest, btw, does this mean that the virus is now locked aand my computer isn't infected?
Here @ Virus total
http://www.virustotal.com/reanalisis.html?e6d39f9fc7a74a51b96e0a9c178eca0c
i dunno why its still marco flash ._.
-
HJT Log, i attached it.
-
I don't know why either.
Try this. Go to virustotal and copy and paste this line into the submit box
C:\WINDOWS\system32\msupdte.exe
-
got it
http://www.virustotal.com/reanalisis.html?25c737027e02d718fafdb329a87b2d42
-
HJT Log, i attached it.
According to the new Hjt log,the problem is still there.Have you performed a boot time scan ? Also try MBAM,(very important you update,before scan ) which is free,and post the results from both scans, and finally a NEW Hjt log
http://www.malwarebytes.org/mbam.php (http://www.malwarebytes.org/mbam.php)
-
Here you go try this
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
-
MBAM LOG //
Malwarebytes' Anti-Malware 1.30
Database version: 1373
Windows 5.1.2600 Service Pack 3
11/9/2008 10:29:28 AM
mbam-log-2008-11-09 (10-29-28).txt
Scan type: Quick Scan
Objects scanned: 48310
Time elapsed: 5 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft WinUpdate (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Machine (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Performance Center (Rogue.PCSpeedScan) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
-
Can't post HJT LOG, msg exceeds 10k character X:
I attacted it, the log = after i scan finish MBAM.
trying Sfix.exe now
-
sfix report.
-
Well the HJT log looks much better. Wait for Essexboy to comment (especially on the SDfix log, I'm not familiar with this program,and don't know what the entry "C:\\WINDOWS\\system32\\meaukd.exe"="C:\\WINDOWS\\system32\\meaukd.exe:*:Enabled:meaukd" means.Although its no longer in the HJT log. . In the meantime, turn off system restore,reboot,and turn it back on again
http://support.microsoft.com/kb/310405 (http://support.microsoft.com/kb/310405)
-
Yep that is a remnant of Vundo so lets see what remains of it. I believe the file has gone but to be sure
Please download the OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\meaukd.exe"=-
:Files
C:\\WINDOWS\system32\meaukd.exe
:Commands
[purity]
[emptytemp]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
-
okay, i will try it now.
-
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\meaukd.exe deleted successfully.
========== FILES ==========
File/Folder C:\\WINDOWS\system32\meaukd.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\etilqs_k1fSdf2Y7X7Cpcczf7RP scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF27CF.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF2ACB.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF996E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF99BA.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ib1.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ib2.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ib3.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ib4.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ib5.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5ac.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11092008_221422
Files moved on Reboot...
File C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\etilqs_k1fSdf2Y7X7Cpcczf7RP not found!
File C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF27CF.tmp not found!
File C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF2ACB.tmp not found!
File C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF996E.tmp not found!
File C:\DOCUME~1\Cheekiat\LOCALS~1\Temp\~DF99BA.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\ib1.tmp moved successfully.
C:\WINDOWS\temp\ib2.tmp moved successfully.
C:\WINDOWS\temp\ib3.tmp moved successfully.
C:\WINDOWS\temp\ib4.tmp moved successfully.
C:\WINDOWS\temp\ib5.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_5ac.dat moved successfully.
C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Cheekiat\Local Settings\Application Data\Mozilla\Firefox\Profiles\2k2411r8.default\XUL.mfl moved successfully.
-
Hows it running now ?
-
It just run the script, then popup a log after restart.
-
***
I suggest that you use malwarebutes antimalware next.
http://www.malwarebytes.org/mbam.php (you can use it for free)
Never mind ... somehow I posted this in the wrong thread. ::)
***
-
trying your method now, may i ask if there is a virus that slow down your computer?
-
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
11/12/2008 9:12:32 PM
mbam-log-2008-11-12 (21-12-32).txt
Scan type: Quick Scan
Objects scanned: 47210
Time elapsed: 4 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
MDAN LOG.
-
trying your method now, may i ask if there is a virus that slow down your computer?
Of course viruses slow down your computer. Have you downloaded a game trainer,after getting your computer clean ? Apparentley H@TKEYSH@@K.DLL is a keylogger or shows up as a keylogger , after downloading game trainers. Its not something I would want on my computer.IMHO if you continue to download keygens ( original infection ) and other dodgy files you will keep getting infected.
-
If your system is still running slow I can do a deeper investigation if you wish
To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTScanit (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the OTScanit folder and double-click on OTScanit.exe to start the program.
- Check the box that says Scan All User Accounts
- Check the Radio button for Rootkit check YES
- Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
- Under Additional Scans check the following:
- Reg - Reg - MountPoints2
- File - Lop Check
- Reg - BotCheck
- File - Additional Folder Scans
- File - Purity Scan
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.