rundll.exe (prob fake?) is infected by worm.vb.fi

Tensai · Dec 10, 2008

Scan took 8 hours!

autorun.inf;d:;Corrupt autorun file;Moved.;
vgod.dll;c:\documents and settings\administrator\local settings\temp;Win32.Besso;Deleted.;
xdict.exe;c:\program my\kingsoft\xdict;Win32.Besso;Cured.;
checkfw.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Cured.;
ywiseext.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Cured.;
_uninstop.exe;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Cured.;
PCloser.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp;Win32.Besso;Cured.;
System.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp;Win32.Besso;Cured.;
lsse.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Spyware;Win32.Besso;Cured.;
AVPFPI0.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
avpproxy.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
DFFPI.DLL;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fm4av.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fpinor.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsbl.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsbld.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsgk32.exe;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsgkiapi.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
FSHKE.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
FSLFPI.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fssm32.exe;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fssubmit.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
lsse.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
Nse_w32.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
arclib.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
fsauc.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
pcast.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
pCastCtl.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
webscan.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
ezpinst.exe;C:\Documents and Settings\Administrator\Application Data;Win32.Besso;Cured.;
kssetting.exe_8BCAA7D371F34097857E7B78CBAEF505.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
NewShortcut13_5071F84AFF334D2DBD96FCF45A201FF4_1.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
NewShortcut4_5071F84AFF334D2DBD96FCF45A201FF4.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
NewShortcut6_5071F84AFF334D2DBD96FCF45A201FF4.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
XDict.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
XDict1.exe_8BCAA7D371F34097857E7B78CBAEF505.EXE;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
compat.dll;C:\Documents and Settings\Administrator\Application Data\Real\Update\setup\data\inst_config;Win32.Besso;Cured.;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
OTMoveIt3.exe;C:\Documents and Settings\Administrator\Desktop;Win32.Besso;Cured.;
RemoveVideoActiveXObject.exe;C:\Documents and Settings\Administrator\Desktop;Win32.Besso;Cured.;
RemoveVideoActiveXObject.exe\RVAXO3;C:\Documents and Settings\Administrator\Desktop\RemoveVideoActiveXObject.exe;Trojan.Shutdown.134;;
RemoveVideoActiveXObject.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
gmer.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer;Win32.Besso;Cured.;
mp3cutter.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\MP3 cutter;Win32.Besso;Cured.;
setup.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005;Win32.Besso;Cured.;
KSEngine.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract;Win32.Besso;Cured.;
KSVoice.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract;Win32.Besso;Cured.;
XDPopWnd.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract;Win32.Besso;Cured.;
ace.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
AuxProcess.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
bootupdate.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
client.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
SAPI.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\Microsoft Shared\Speech;Win32.Besso;Cured.;
spcommon.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\SpeechEngines\Microsoft;Win32.Besso;Cured.;
SPTTSENG.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\SpeechEngines\Microsoft\TTS\1033;Win32.Besso;Cured.;
Cjktl32.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
Cjktl95.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
DBCore10.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
DicMngr.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
doshow.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
IJL11.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
ITextOut.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
ITTSEngine.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
KPic10.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
KSSetting.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
NEWWORD.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
NewWord.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
NormGrab.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
RegDict.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
ScrollWord.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
toTTSEngine50.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
XdictGrb.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
XFavHist.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
XFILE.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
msxml4.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System;Win32.Besso;Cured.;
msxml4a.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System;Win32.Besso;Cured.;
msxml4r.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System;Win32.Besso;Cured.;
Decdnet.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Pncrt.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Pnen3230.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Pnui3230.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Ra3214_4.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Ra3228_8.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Ra32dnet.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
SHFOLDER.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
VOCTL32.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
WMV9VCM.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
msvcp60.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Redist\MS\System;Win32.Besso;Cured.;
msvcrt.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Redist\MS\System;Win32.Besso;Cured.;
i_view32.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\shortcuts;Win32.Besso;Cured.;
iview397.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software;Win32.Besso;Cured.;
mirc616.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software;Win32.Besso;Cured.;
mirc621.exe\data009;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\mirc621.exe;Program.mIRC.621;;
mirc621.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software;Archive contains infected objects;Moved.;
boba_super_setup.exe\data007;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Football\boba_super_setup.exe;Adware.Baidu.324;;
boba_super_setup.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Football;Archive contains infected objects;Moved.;
keygen.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-;Win32.Besso;Cured.;
keygen.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-;Win32.Besso;Cured.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;;
Tvants.exe;C:\Program Files\TVAnts;Win32.Besso;Cured.;
UNWISE.EXE;C:\Program Files\TVAnts;Win32.Besso;Cured.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Win32.Besso;Cured.;
BitComet.exe;C:\Program my\BitComet;Win32.Besso;Cured.;
vlc.exe;C:\Program my\VideoLAN\VLC;Win32.Besso;Cured.;
RVAXO3;C:\RVAXO;Trojan.Shutdown.134;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
rundll.exe;C:\_OTMoveIt\MovedFiles\12082008_130400;Win32.HLLW.Unjap;Deleted.;
VGod.DLL;C:\_OTMoveIt\MovedFiles\12082008_130400\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Deleted.;
XP-3EC8D8CF.EXE.vir;C:\_OTMoveIt\MovedFiles\12082008_130400\WINDOWS\system32;Win32.HLLW.Autoruner.2665;Incurable.Moved.;

katana · Dec 10, 2008

Scan took 8 hours!

That's what happens when you have no Antivirus installed, use multiple P2P programs and then use Keygens.

Cracks, Keygens and Warez

In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

In the future I strongly suggest you stay away from using cracks and/or Keygens.

Right, let's see if we can get things moving now

Step 1

OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Reg )

Code:

:Reg
[-hkey_current_user\software\dudu]
:Files
C:\Deckard
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe
C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer\gmer.exe
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM
C:\Documents and Settings\Administrator\Desktop\SDFix.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\*.*
C:\Program my\BitComet
C:\SDFix
C:\sUBs
C:\WINDOWS\Installer\835db16.msi
c:\windows\keyboard1.dat
C:\WINDOWS\system32\shell.fne
:Commands
[Purity]
[EmptyTemp]

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

OTMI Log
Combofix Log
How are things running now ?

Tensai · Dec 10, 2008

Thanks for the warning about the p2p/cracks/keygens, I will follow your advice.

When the computer rebooted, on request of OTMoveIT3, there was this windows prompt telling me something along the lines of ''This system has recovered from a serious error. A log of this was created.'' A good omen?

OTMoveIT log:

========== REGISTRY ==========
Registry key hkey_current_user\software\dudu\\ not found.
========== FILES ==========
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\KHQNOFGP moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\EXJAR0S3 moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\EJXLGXNS moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\0PIVGP0D moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5 moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\History\History.IE5 moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\History moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Cookies moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VBE moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-8 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-7 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-6 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-5 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-4 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-3 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-2 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Spyware moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msoclip1\01 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msoclip1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MessengerCache moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\F-Secure\Anti-Virus moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\F-Secure moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bc_cache moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobe\Acrobat\7.0 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobe\Acrobat moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobe moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1 moved successfully.
C:\Deckard\System Scanner\backup moved successfully.
C:\Deckard\System Scanner moved successfully.
C:\Deckard moved successfully.
File/Folder C:\Documents and Settings\Administrator\Desktop\ComboFix.exe not found.
C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer\gmer.exe moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.Keygen.Only-Lz0\lz0nem01 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MP4.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MP4.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MOV.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MOV.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.WMV.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.WMV.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.PSP.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.PSP.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.MP4.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.MP4.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.iPod.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.iPod.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.DivX.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.DivX.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.3GP.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.3GP.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Ripper.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Ripper.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Audio.Ripper.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Audio.Ripper.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.CD.Ripper.v1.0.36.Incl.Keygen-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.AVI.MPEG.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.AVI.MPEG.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.3GP.Video.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.3GP.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM scheduled to be moved on reboot.
File/Folder C:\Documents and Settings\Administrator\Desktop\SDFix.exe not found.
C:\Documents and Settings\Administrator\Local Settings\Temp\000041228122079599.wmv moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\000041228444212470.wmv moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\000041228450627967.wmv moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\30298776.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3jLyThf4.torrent.part moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\AssLikeThat - Donna Red.mpg.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV Pics.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Booty Full Babes 3.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ee366d2b2e4ede8287de879e85a0dcc2PSK_PLUGINS_2 moved successfully.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_nRyWmQXEReVhdLGLk1en scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_XDs33n9W6B8zJ9OMW5nd moved successfully.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\flaEB.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\flaF7.tmp scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\Gccq6g0v.exe.part moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Administrator\Local Settings\Temp\hGu8YnFX.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\hGu8YnFX.dll NOT unregistered.
C:\Documents and Settings\Administrator\Local Settings\Temp\hGu8YnFX.dll moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Kiara Marie_Thick White Heart Butts .avi.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Likem Low Lele.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_1e8.dat moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\PNX165.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\PSSysChk.log moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$LS17.77312 moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Scrumpshuzzz_AtomicGdog.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\stadistic.log moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\steverock.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\thunder_vod_MjQxNTkxOTk1Nw==.rmvb moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF10EB.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF2199.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF21A6.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8D21.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC53.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFEAA.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFEB7.tmp moved successfully.
C:\Program my\BitComet\Torrents moved successfully.
C:\Program my\BitComet\rules moved successfully.
C:\Program my\BitComet\lang moved successfully.
C:\Program my\BitComet\fav\ad moved successfully.
C:\Program my\BitComet\fav moved successfully.
C:\Program my\BitComet\Downloads moved successfully.
C:\Program my\BitComet\codec moved successfully.
C:\Program my\BitComet moved successfully.
C:\SDFix\backups moved successfully.
C:\SDFix\apps\Replace\xp moved successfully.
C:\SDFix\apps\Replace\w2k moved successfully.
C:\SDFix\apps\Replace moved successfully.
C:\SDFix\apps moved successfully.
C:\SDFix moved successfully.
C:\sUBs\TSF moved successfully.
C:\sUBs moved successfully.
C:\WINDOWS\Installer\835db16.msi moved successfully.
c:\windows\keyboard1.dat moved successfully.
C:\WINDOWS\system32\shell.fne moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_nRyWmQXEReVhdLGLk1en scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaEB.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaF7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12102008_151240

Files moved on Reboot...
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM scheduled to be moved on reboot.
File C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_nRyWmQXEReVhdLGLk1en not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\flaEB.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\flaF7.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_nRyWmQXEReVhdLGLk1en not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaEB.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaF7.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\XUL.mfl moved successfully.

--------------------

Note: Combofix asked me to update when I ran it, but the update could not be retrieved and it continued with its current version. Also, I closed everything possible just as in the instructions, but it had to reboot the computer to finish and certain programs did load (in the background) after startup. Don't think it hindered combofix though. The log:

ComboFix 08-12-09.03 - Administrator 2008-12-10 16:02:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.296 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\com.run
c:\windows\system32\dp1.fne
c:\windows\system32\eAPI.fne
c:\windows\system32\internet.fne
c:\windows\system32\og.edt
c:\windows\system32\RegEx.fnr
c:\windows\system32\spec.fne

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_VFILT

((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 02:13 . 2008-12-10 02:15 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2008-12-09 20:16 . 2008-12-09 20:16 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2008-12-09 18:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-09 18:40 . 2008-12-09 18:40 <DIR> d-------- c:\program files\Panda Security
2008-12-08 13:04 . 2008-12-08 13:04 <DIR> d-------- C:\_OTMoveIt
2008-12-04 13:53 . 2008-12-04 13:53 <DIR> d-------- C:\rsit
2008-11-29 11:01 . 2008-12-03 09:57 <DIR> d-------- c:\program files\Spyware Terminator
2008-11-29 11:01 . 2008-12-03 18:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-11-29 11:01 . 2008-12-03 09:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2008-11-29 11:01 . 2008-11-29 11:01 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-29 09:40 . 2008-11-29 14:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 09:39 . 2008-11-29 09:39 <DIR> d-------- c:\program files\Trojan Remover
2008-11-29 09:39 . 2008-11-29 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-29 09:39 . 2008-11-29 09:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Simply Super Software
2008-11-29 09:39 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-11-29 09:39 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2008-11-29 09:39 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2008-11-29 09:39 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2008-11-29 09:39 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2008-11-28 23:11 . 2008-11-29 09:53 159 --------- C:\autorun.inf.vir
2008-11-23 17:10 . 2008-11-27 11:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 10:30 --------- d-----w c:\program files\mIRC
2008-12-03 20:04 --------- d-----w c:\program files\SopCast
2008-11-27 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 14:34 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-23 12:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-01-05 02:22 81,920 ----a-w c:\documents and settings\Administrator\Application Data\ezpinst.exe
2008-01-05 02:22 47,360 ------w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2004-03-28 17:46 1,340,416 -c-ha-w c:\program files\mplayerc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-10 180269]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"Thunder"="c:\program files\Thunder Network\Thunder\Thunder.exe" [2008-08-12 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PowerWord 2002.lnk - c:\program my\Kingsoft\XDict\XDICT.EXE [2004-11-21 749568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kingsoft\\PowerWord 2005\\XDICT.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009
"25435:TCP"= 25435:TCP:BitComet 25435 TCP
"25435:UDP"= 25435:UDP:BitComet 25435 UDP
"49152:TCP"= 49152:TCP:BitComet 49152 TCP
"49152:UDP"= 49152:UDP:BitComet 49152 UDP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-09 28544]
.
Contents of the 'Scheduled Tasks' folder

2008-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Ê¹ÓÃÑ¸À×ÏÂÔØ - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.nl
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program my\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 16:06:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\program files\Thunder Network\Thunder\Program\Thunder5.exe
c:\windows\system32\notepad.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Thunder Network\Thunder\Components\InMedia\ThunderMinisite.exe
.
**************************************************************************
.
Completion time: 2008-12-10 16:11:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 15:10:01

Pre-Run: 1,094,266,880 bytes free
Post-Run: 1,027,620,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

172 --- E O F --- 2008-11-13 02:04:50

katana · Dec 10, 2008

Malwarebytes' Anti-Malware

Start MalwareBytes AntiMalware
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Are there any problems now ?

Tensai · Dec 11, 2008

MALWARE bYTES LOG:

Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 2

08-12-10 20:45:06
mbam-log-2008-12-10 (20-45-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108916
Time elapsed: 1 hour(s), 9 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Cookies\MM2048.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\MM256.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.
=========================================

Kaspersky log ( OTMoveIT3 is a backdoor?):

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 10, 2008 22:20:53
Records in database: 1450451
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 80934
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:48:07

File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\Administrator\Desktop\OTMoveIt3.exe Infected: Backdoor.Win32.SubSeven.asu 1
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\XP-3EC8D8CF.EXE.vir Infected: Worm.Win32.AutoRun.sow 1

The selected area was scanned.

katana · Dec 11, 2008

Kaspersky log ( OTMoveIT3 is a backdoor?):

I have reported it to Kaspersky as a False Positive

olice:

OTMoveIt

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )

Code:

:Files
C:\Program Files\BitTornado
C:\Program my\BitComet
C:\Program Files\ABC
C:\Program Files\uTorrent
C:\Program Files\KuGoo2
C:\autorun.inf.vir
C:\Documents and Settings\NetworkService\Cookies\*.*
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTornado\btdownloadgui.exe"=-
"C:\Program my\BitComet\BitComet.exe"=-
"C:\Program Files\ABC\abc.exe"=-
"C:\Program Files\uTorrent\uTorrent.exe"=-

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Are there any problems now ?

Tensai · Dec 11, 2008

========== FILES ==========
File/Folder C:\Program Files\BitTornado not found.
File/Folder C:\Program my\BitComet not found.
File/Folder C:\Program Files\ABC not found.
File/Folder C:\Program Files\uTorrent not found.
File/Folder C:\Program Files\KuGoo2 not found.
C:\autorun.inf.vir moved successfully.
File/Folder C:\Documents and Settings\NetworkService\Cookies\*.* not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\BitTornado\btdownloadgui.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program my\BitComet\BitComet.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\ABC\abc.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\uTorrent\uTorrent.exe not found.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_201059
----------------------

To the question how everything is running now... the worm and the file itself, rundll.exe that was in C: , is gone and everything seems fine. I don't know which very old file(s) you meant though, when you said earlier in this thread that my comp was heavily infected by an old virus. That one has been fixed by the 8 hour scan by DR. CureIT?
If so, there is this autorun.inf file on D: that was detected by DR. CureIT is still there but is now renamed as autorun.inf.vir... has it been quarantined and if so, do I need (or is it possible) to delete the quarantined files by Dr CureIT?

katana · Dec 11, 2008

Tensai said:
I don't know which very old file(s) you meant though, when you said earlier in this thread that my comp was heavily infected by an old virus. That one has been fixed by the 8 hour scan by DR. CureIT?

Yes, that is an old infection. If you had an Antivirus installed you would not have had all this trouble.

You can delete
D:\autorun.inf.vir << file
C:\Documents and Settings\Administrator\DoctorWeb << folder

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Tensai · Dec 12, 2008

Hi, well I have cleaned up my computer using your methods (still have to take a closer look at your list of programs when I have a bit more time to sit behind my desktop, but I'm sure I'll find something useful, thanks) and everything seems fine. Thank you very much for your help. I have two more questions though:

About the desktop.ini thing (which I pointed out earlier in this thread) that starts itself and pops up in notepad whenever I have rebooted... it has the text:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

This had started around the time I got infected and asked for help on here I think. I suddenly found ''desktop.ini'' when I go to ''start'' (it's above ''programs'' in a seperate section), it's also in my favorites list in explorer and I also find it when I go to ''start''->''programs'' at the end of the list of software. Is this in any way harmful and even not, how can I get it to stop from popping up after I start up my comp?

Also, one of your first instructions was that I should connect the culprit of the problems, the camera memorycard on which the worm/rundll.exe was present, to my computer and use flashdisinfector. As I remember, it did not get rid of the worm on my memory card and my computer either at that time. Now my computer is fixed, but this probably means my memory card with the photos can not be connected to this computer without infecting this system again = I should throw away and buy another mem card to put it bluntly? Or is there a way to save the card...

Thank you for your time.

katana · Dec 13, 2008

everything seems fine

Sorry, I presumed that the "desktop.ini" problem had been sorted given the above statement.

You should be safe to connect your camera memorycard now, as the autorun file has been deleted.
I recomend that you format it to make sure that everything is cleaned.

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it fix.bat Please save it on your desktop.

@echo off
for %%G in (
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs
C:\Documents and Settings\All Users\Start Menu
) DO (
if exist "%%G\desktop.ini" del /q "%%G\desktop.ini"
)
del /q %0
exit

Double click on fix.bat
Please be patient, as this will search the entire disc

Please reboot and see if the problem has stopped

katana · Dec 18, 2008

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.

rundll.exe (prob fake?) is infected by worm.vb.fi

Tensai

New member

katana

Security Expert-Emeritus

Tensai

New member

katana

Security Expert-Emeritus

Tensai

New member

katana

Security Expert-Emeritus

Tensai

New member

katana

Security Expert-Emeritus

Tensai

New member

katana

Security Expert-Emeritus

katana

Security Expert-Emeritus