Infected With Heur.trojan.generic Please Help

**ruffryder2k7** · #11 30th Oct 2008, 08:08

i am unable to download OTMoveIt2 by OldTimer
because i keep getting a 404 error when i click the link and i am not able to find it online anywhere o.0
do i really need it or can i skip it?

**evilfantasy** · #12 30th Oct 2008, 11:56

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:services

:reg

:files
C:\Program Files\Microsoft Windows OneCare Live

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

**ruffryder2k7** · #13 3rd Nov 2008, 09:24

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Program Files\Microsoft Windows OneCare Live not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\etilqs_FibIlDHL DOZ6Bj5KF02i scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBABE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBACE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBADE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBAED.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBAEE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Lifeline\LOCALS~1\Temp\~DF3914.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\cch~165608efc59.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~165608f37ff.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~165611a39d6.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~165611a61b2.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~165619818e9.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~16561982146.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~1656291e59f.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~1656292bc2c.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~165629e21f1.htp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\cch~165629e4aa6.htp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\url classifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\url classifier3.sqlite-journal scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\XUL .mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11032008_111709

Files moved on Reboot...
File C:\DOCUME~1\Lifeline\LOCALS~1\Temp\etilqs_FibIlDHL DOZ6Bj5KF02i not found!
File C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBABE.tmp not found!
File C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBACE.tmp not found!
File C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBADE.tmp not found!
File C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBAED.tmp not found!
File C:\DOCUME~1\Lifeline\LOCALS~1\Temp\JETBAEE.tmp not found!
C:\DOCUME~1\Lifeline\LOCALS~1\Temp\~DF3914.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\cch~165608efc59.htp not found!
File C:\WINDOWS\temp\cch~165608f37ff.htp not found!
File C:\WINDOWS\temp\cch~165611a39d6.htp not found!
File C:\WINDOWS\temp\cch~165611a61b2.htp not found!
File C:\WINDOWS\temp\cch~165619818e9.htp not found!
File C:\WINDOWS\temp\cch~16561982146.htp not found!
File C:\WINDOWS\temp\cch~1656291e59f.htp not found!
File C:\WINDOWS\temp\cch~1656292bc2c.htp not found!
File C:\WINDOWS\temp\cch~165629e21f1.htp not found!
File C:\WINDOWS\temp\cch~165629e4aa6.htp not found!
C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_001_ moved successfully.
C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_002_ moved successfully.
C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_003_ moved successfully.
C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\Cac he\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\url classifier3.sqlite moved successfully.
File C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\url classifier3.sqlite-journal not found!
C:\Documents and Settings\Lifeline\Local Settings\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\XUL .mfl moved successfully.

**evilfantasy** · #14 3rd Nov 2008, 11:02

Update MalwareBytes and run a quick scan. Remove anything found and post the log please.

**ruffryder2k7** · #15 4th Nov 2008, 10:08

Malwarebytes' Anti-Malware 1.30
Database version: 1364
Windows 5.1.2600 Service Pack 2

11/4/2008 12:09:04 PM
mbam-log-2008-11-04 (12-09-04).txt

Scan type: Quick Scan
Objects scanned: 50511
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qoMghecb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

**evilfantasy** · #16 4th Nov 2008, 11:58

How is everything now?

**ruffryder2k7** · #17 6th Nov 2008, 10:26

ComboFix 08-11-02.05 - Lifeline 2008-11-06 12:20:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.655 [GMT -5:00]
Running from: c:\documents and settings\Lifeline\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\dao350.dll
c:\windows\system32\dikelljj.ini
c:\windows\system32\dpnioack.ini
c:\windows\system32\gteoqjhv.ini
c:\windows\system32\ijkvoc.dll
c:\windows\system32\mzphzp.dll
c:\windows\system32\oeuxogkl.dll
c:\windows\system32\rgmrpubf.ini
c:\windows\system32\ulelptnw.ini
c:\windows\system32\xqiatfeu.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-06 11:02 . 2008-11-06 11:02 <DIR> d-------- c:\windows\system32\scripting
2008-11-06 11:02 . 2008-11-06 11:02 <DIR> d-------- c:\windows\system32\en
2008-11-06 11:02 . 2008-11-06 11:02 <DIR> d-------- c:\windows\l2schemas
2008-11-06 11:00 . 2008-11-06 11:03 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-06 10:52 . 2008-11-06 10:52 <DIR> d-------- c:\windows\EHome
2008-11-03 11:35 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-11-03 11:35 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-03 11:35 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-03 11:35 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-11-03 11:35 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-03 11:35 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-11-03 11:35 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-11-03 11:35 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-03 11:35 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-11-03 11:29 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-11-03 11:17 . 2008-11-03 11:17 <DIR> d-------- C:\_OTMoveIt
2008-10-27 10:28 . 2008-10-27 10:28 <DIR> d-------- c:\program files\Trend Micro
2008-10-23 11:08 . 2008-10-23 11:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-23 11:08 . 2008-10-23 11:08 <DIR> d-------- c:\documents and settings\Lifeline\Application Data\Malwarebytes
2008-10-23 11:08 . 2008-10-23 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-23 11:08 . 2008-10-22 15:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-23 11:08 . 2008-10-22 15:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-23 09:49 . 2008-10-23 09:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-23 09:48 . 2008-10-23 09:48 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-23 09:48 . 2008-10-23 09:48 <DIR> d-------- c:\documents and settings\Lifeline\Application Data\SUPERAntiSpyware.com
2008-10-23 09:46 . 2008-10-23 09:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-21 10:51 . 2008-10-21 11:27 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-10-21 10:51 . 2008-10-21 10:51 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-10-21 10:49 . 2008-10-21 10:49 <DIR> d-------- c:\program files\Kaspersky Lab
2008-10-21 10:49 . 2008-11-06 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-10-21 10:49 . 2008-11-06 12:22 1,910,304 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-10-21 10:49 . 2008-11-06 12:22 352,288 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-10-21 10:49 . 2008-11-06 12:22 16,004 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-10-21 10:49 . 2008-11-06 12:22 2,284 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-10-21 10:44 . 2008-10-21 10:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-21 10:21 . 2008-10-21 10:21 <DIR> d-------- c:\program files\uTorrent
2008-10-21 10:21 . 2008-10-21 10:46 <DIR> d-------- c:\documents and settings\Lifeline\Application Data\uTorrent
2008-10-21 09:45 . 2008-10-21 09:45 <DIR> d-------- c:\windows\system32\Adobe
2008-10-18 11:56 . 2008-10-18 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-10-16 00:18 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-16 00:14 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-16 00:13 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 00:13 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 00:13 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 00:13 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-06 17:20 --------- d-----w c:\program files\Common
2008-11-01 21:17 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2008-10-29 17:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-10 07:00 --------- d-----w c:\program files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-07-16 17:22 722 ----a-w c:\documents and settings\Lifeline\Application Data\wklnhst.dat
2007-10-29 15:00 60,968 ----a-w c:\documents and settings\Lifeline\GoToAssistDownloadHelper.exe
2006-12-28 00:52 630,784 ----a-w c:\documents and settings\Lifeline\GoToAssist_chat2way__317_en.exe
2006-10-27 19:29 630,784 ----a-w c:\documents and settings\Lifeline\chatlnk.exe
2008-07-03 18:54 88 --sh--r c:\windows\system32\E71B5BF06B.sys
2008-07-03 18:54 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 98304]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
/C [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 11:07 496752 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a------ 2004-04-01 07:51 1589248 c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-10-25 00:07 169984 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 18:05 1117184 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-23 11:12 7630848 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-08-23 11:12 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 00:02 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-10-25 00:02 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 03:10 49263 c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-23 11:12 1617920 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-08-15 01:38 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jqvxedzb
.
Contents of the 'Scheduled Tasks' folder

2008-10-31 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D1X1B0C1-Lifeline).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)
SafeBoot-OneCareMP
MSConfigStartUp-AdwareAlert - c:\program files\AdwareAlert\AdwareAlert.exe
MSConfigStartUp-AntiSpyKit 5 - c:\program files\AntiSpyKit 5.3\AntiSpyKit 5.3.exe
MSConfigStartUp-AntiSpywareShield - c:\program files\AntiSpywareShield\AntiSpywareShield.exe
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-pzatszn - c:\windows\system32\pzatszn.exe
MSConfigStartUp-seekmo - c:\program files\seekmo\seekmo.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
MSConfigStartUp-VirusHeat 4 - c:\program files\VirusHeat 4.3\VirusHeat 4.3.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-MSI Configuration - msiconf.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Lifeline\Application Data\Mozilla\Firefox\Profiles\j61dtu92.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 12:23:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2008-11-06 12:25:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 17:25:43

Pre-Run: 63,485,554,688 bytes free
Post-Run: 63,424,978,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect

223 --- E O F --- 2008-11-06 16:08:18

**evilfantasy** · #18 6th Nov 2008, 10:39

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

----------

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Infected with MultiPacked.Multi.Generic Malware!	ruffryder2k7	Virus, Spyware & Security	12	26th Jun 2009 19:26
Computer is Infected with Trojan.downloader and Will Not Delete Via MBAM	bvauilt	Virus, Spyware & Security	15	17th Apr 2009 15:43
Trojan.vundo.h , trojan.agent , adware.mirar + MORE! :(	sillyarfer	Virus, Spyware & Security	1	14th Dec 2008 09:59
Heur Trojan Generic	kathymer	Virus, Spyware & Security	10	29th Nov 2008 12:58
Are you able to sync a generic mp3 player [not an iPod] with iTunes?	reyrey_angulo	Sound, Speakers & MP3 Players	1	18th Mar 2007 15:39