Solved XP anti-spyware alerts - can not remove them

tgugino · May 15, 2011

I can not find the security check log. Should I run it again?

Here are the other logs...

OTL log...
All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-776561741-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In Reg Error: Value error.\ not found.
C:\Documents and Settings\All Users\Application Data\30xbu6q33b6g07e moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Application Data\30xbu6q33b6g07e moved successfully.
C:\WINDOWS\Vreladuxo.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\~18800420r moved successfully.
C:\Documents and Settings\All Users\Application Data\~18800420 moved successfully.
C:\Documents and Settings\All Users\Application Data\18800420 moved successfully.
C:\Documents and Settings\Authorized User\2gweorjqjutp92vjy9gake moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs moved successfully.
C:\Documents and Settings\All Users\Application Data\3x41wrg1bdk74r644p5lin01f7k5jp7s5l3846d5642xs moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Authorized User
->Temp folder emptied: 32945968 bytes
->Temporary Internet Files folder emptied: 47757314 bytes
->Java cache emptied: 14119 bytes
->FireFox cache emptied: 83216029 bytes
->Flash cache emptied: 5764 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2900102 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 47569 bytes

User: NetworkService
->Temp folder emptied: 7524 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 1715 bytes
->Flash cache emptied: 24220 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 41299058 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 199.00 mb

[EMPTYFLASH]

User: All Users

User: Authorized User
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05152011_091041

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\Perflib_Perfdata_d0c.dat not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF90C.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF91A.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF969.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF977.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF9B5.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF9C3.tmp not found!
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\U8Q8EY4C\c=419_rand=885215909_pv=y_async=undefined_rt=ifr[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\U8Q8EY4C\google[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\U8Q8EY4C\PugTracker[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\U8Q8EY4C\px[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\U8Q8EY4C\sh42[1].html moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\C7XDKP0W\topic164833-2[1].html moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

*********************
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\18800420.exe.vir Win32/Adware.HDDRescue.AA application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\KMsAsKYhhcwX.exe.vir Win32/TrojanDownloader.Prodatect.BK trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Authorized User\Application Data\7DEB2F60F4ED7FC4F140AEB6D3CF9BF7\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\Authorized User\Application Data\7DEB2F60F4ED7FC4F140AEB6D3CF9BF7\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\Authorized User\Application Data\Adobe\plugs\mmc17611546.txt.vir Win32/TrojanDownloader.Prodatect.BK trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Authorized User\Local Settings\Application Data\kah.exe.vir a variant of Win32/Kryptik.NOT trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\oimdvhemc.exe.vir a variant of Win32/Injector.GFC trojan
C:\Qoobox\Quarantine\C\WINDOWS\erimayob.dll.vir a variant of Win32/Kryptik.NOS trojan
C:\Qoobox\Quarantine\C\WINDOWS\usap32.dll.vir a variant of Win32/Kryptik.NQE trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\191EC.tmp.vir a variant of Win32/Kryptik.NPQ trojan
C:\System Volume Information\_restore{C3EED522-AF28-4D96-9F9A-10715CE42056}\RP114\A0012928.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\System Volume Information\_restore{C3EED522-AF28-4D96-9F9A-10715CE42056}\RP114\A0012933.exe a variant of Win32/Kryptik.NOT trojan
C:\System Volume Information\_restore{C3EED522-AF28-4D96-9F9A-10715CE42056}\RP114\A0012936.exe a variant of Win32/Injector.GFC trojan
C:\System Volume Information\_restore{C3EED522-AF28-4D96-9F9A-10715CE42056}\RP114\A0012937.dll a variant of Win32/Kryptik.NOS trojan
C:\System Volume Information\_restore{C3EED522-AF28-4D96-9F9A-10715CE42056}\RP114\A0012941.dll a variant of Win32/Kryptik.NQE trojan
C:\WINDOWS\system32\345.js JS/TrojanDownloader.Agent.NWG trojan

Broni · May 15, 2011

I can not find the security check log. Should I run it again?

Please do.

tgugino · May 15, 2011

Here is the security check log...

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 25
Out of date Java installed!
Adobe Flash Player 10.2.152.32
Adobe Reader X (10.0.1)
Mozilla Firefox (3.6.17)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

Broni · May 15, 2011

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL

:Services

:Reg

:Files
C:\WINDOWS\system32\345.js

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

tgugino · May 15, 2011

My system seems to be ok. THANK YOU!!!

I am thinking of getting an external harddrive to backup my system periodically. If I had a external drive how is that impacted when running the series of clean up steps you have taken me through?

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\system32\345.js moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Authorized User
->Temp folder emptied: 187776 bytes
->Temporary Internet Files folder emptied: 6664520 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 1332 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 3534 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb

[EMPTYFLASH]

User: All Users

User: Authorized User
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05152011_124103

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFD9A8.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFD9FC.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFDB75.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFDB8F.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFDE7E.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFDFD0.tmp not found!
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\LNSRRNUU\sh42[1].html moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\25II8A2N\topic164833-2[3].html moved successfully.

Registry entries deleted on Reboot...

*************
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Authorized User
->Temp folder emptied: 183552 bytes
->Temporary Internet Files folder emptied: 1303614 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 704 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 2384 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5072 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb

[EMPTYFLASH]

User: All Users

User: Authorized User
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.22.3 log created on 05152011_124758

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFBBC2.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFBBD8.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFBCED.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFBD08.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFC5D0.tmp not found!
File\Folder C:\Documents and Settings\Authorized User\Local Settings\Temp\~DFC5E7.tmp not found!
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\2554[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\999[1].gif moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\c=419_rand=231042853_pv=y_async=undefined_rt=ifr[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\google[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\pixel[1].gif moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\PugTracker[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\XCFOWXJC\px[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\IY2X38YZ\partner[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\B523VCPZ\topic164833-2[1].html moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\4PZBEZJ0\bct[1].htm moved successfully.
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\4PZBEZJ0\sh42[1].html moved successfully.

Registry entries deleted on Reboot...

Broni · May 15, 2011

External drive doesn't impact anything.

Good job

Good luck and stay safe

tgugino · May 15, 2011

thank you broni. Go Sharks!

Broni · May 15, 2011

Go Sharks baby!!!

Solved XP anti-spyware alerts - can not remove them

tgugino

Posts: 39 +0

Broni

Posts: 56,041 +516

tgugino

Posts: 39 +0

Broni

Posts: 56,041 +516

tgugino

Posts: 39 +0

Broni

Posts: 56,041 +516

tgugino

Posts: 39 +0

Broni

Posts: 56,041 +516

Similar threads

Latest posts