Solved Posible virus - wloobe.exe (Katusha.370)

[1LtKen]

OTL Run Fix

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Aaron
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 192512 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gram
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 85457342 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 993 bytes

User: HP_Administrator

User: Kieran
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: PAP
->Temp folder emptied: 838993 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 3238912 bytes
->Flash cache emptied: 0 bytes

User: Rachel
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Travis
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 86.00 mb


[EMPTYFLASH]

User: Aaron
->Flash cache emptied: 0 bytes

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Gram
->Flash cache emptied: 0 bytes

User: HP_Administrator

User: Kieran

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: PAP
->Flash cache emptied: 0 bytes

User: Rachel
->Flash cache emptied: 0 bytes

User: Travis
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.22.3 log created on 03222011_202751

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\ICSharpCode.SharpZipLib.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\PAP\Local Settings\Temp\ICSharpCode.SharpZipLib.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

 

[Broni]

12. Please, let me know, how your computer is doing.

Whenever ready.........

 

[1LtKen]

For your info

This is what Trojan Hunter first discovered ... And removed
I'm assuming there were left overs somewhere that still caused some problems

C:\Programs\Windows Live\Installer\wloobe.exe (Katusha.370)

C;\System Volume Information\_restore { DD748E69-E471-45D5-8FA3-A49BABE78D85 }\RPO\A0000001.exe/hidec.exe (RiskTool.Hidek.100)

C;\System Volume Information\_restore { DD748E69-E471-45D5-8FA3-A49BABE78D85 }\RPO\A0000001.exe/Upx.oofiaetl/hidec.exe (RiskTool.Hidek.100)

C;\System Volume Information\_restore { DD748E69-E471-45D5-8FA3-A49BABE78D85 }\RP78\A0024260.exe

 

[Broni]

Last three items were in your restore points.
By running the latest OTL fix, we did reset those points, so they're all gone.

The first one was possibly malicious, so you're OK now.

Any current issues?

 

[1LtKen]

Browers just seem sluggish. Working within my documents seem normal. I'll get a better feel for it in a day or so.

 

[Broni]

Which browser would that be?

 

[Broni]

The issue seems to be resolved.

 

[1LtKen]

Review of Cleansing

Computer is working well, speed within documents seems normal. Very slow booting up and loading windows. Slow when first opening and document then normal. (Probably need to defrag, haven't checked yet.)

Safari and Google Chrome seem to operate slowly while IE seems normal.

I am wondering if there might possible be some background apps that load on boot that perhaps I can set to manual startup? But I am not sure where to find this list.

As usual, your help has been invaluable and another job well done.
Thanks for your time and effort.

 

[Broni]

We can take a look at your startups...

Download, and install Quick Startup: http://www.glarysoft.com/qs.html
Go File>Export, save report, and paste it into your next post.

 

[1LtKen]

Quick Startup

Startup List report created on 4/5/2011 by Startup Manager


Name: IgfxTray
Path: C:\WINDOWS\system32\igfxtray.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: HotKeysCmds
Path: C:\WINDOWS\system32\hkcmd.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Persistence
Path: C:\WINDOWS\system32\igfxpers.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: UpdateP2GoShortCut
Path: "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: HPDJ Taskbar Utility
Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: HPHmon04
Path: C:\WINDOWS\system32\hphmon04.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: HPHUPD04
Path: "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Share-to-Web Namespace Daemon
Path: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Verizon_McciTrayApp
Path: "C:\Program Files\Verizon\McciTrayApp.exe"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: WorksFUD
Path: C:\Program Files\Microsoft Works\wkfud.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Microsoft Works Portfolio
Path: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Microsoft Works Update Detection
Path: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: QuickTime Task
Path: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: RTHDCPL
Path: RTHDCPL.EXE
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: TkBellExe
Path: "C:\program files\real\realplayer\update\realsched.exe" -osboot
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: iTunesHelper
Path: "C:\Program Files\iTunes\iTunesHelper.exe"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: avast
Path: "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: KernelFaultCheck
Path: %systemroot%\system32\dumprep 0 -k
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: ctfmon.exe
Path: C:\WINDOWS\system32\ctfmon.exe
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: swg
Path: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: washindex
Path: C:\Program Files\Washer\washidx.exe
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Status: Enabled
------------------------------------------------------------------------------------------

Name: LaunchU3.exe
Path: C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe
Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Status: Enabled
------------------------------------------------------------------------------------------

Name: Microsoft Works Calendar Reminders
Path: C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkCalRem.exe
Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Status: Enabled
------------------------------------------------------------------------------------------

Name: Secunia PSI Tray
Path: C:\PROGRA~1\Secunia\PSI\psi_tray.exe
Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Status: Enabled
------------------------------------------------------------------------------------------

Name: Webshots
Path: C:\PROGRA~1\Webshots\315~1.761\Launcher.exe /t
Location: C:\Documents and Settings\PAP\Start Menu\Programs\Startup
Status: Enabled
------------------------------------------------------------------------------------------
Total 25 Items

 

[Broni]

Re-run QuickStartup and UN-check following items:

IgfxTray
Persistence
UpdateP2GoShortCut
HPHmon04
HPHUPD04
Verizon_McciTrayApp
WorksFUD
Microsoft Works Portfolio
Microsoft Works Update Detection
TkBellExe
iTunesHelper
KernelFaultCheck
washindex
LaunchU3.exe
Secunia PSI Tray

Restart computer.