WIN32/Matcash problem + 2 others

I can not find these anywhere:
C:\14.tmp
C:\WINDOWS\retadpu72.exe.tmp

As far as emptying there are several items in this folder:
C:\Documents and Settings\Angela\Local Settings\Temp\
that will not allow me to delete them. Access is denied. Pop up box tells me to close any programs that may be using them. Only thing is, I don't know what they are or what program may be using them. I tried closing anything that may be running in the background and even disconnected myself from the internet but nothing worked.
Here are the items that would not allow me to delete them:
~DF2AD9
~DF5C6C
~DF17EE
~DF3155
~DF6218
~DFD7A0
and a txt file named WCESLOG

I want you to know, when I woke up this morning, my computer keep looping over and over again on the screen that says "Windows did not shut down properly, using the arrow keys, select what you want to do" or something to that affect. I tried using the option of starting windows as normal, last know good configuration even safe mode. No matter which option I chose, it looked like Windows was going to start, then it would just go back to that screen. After about an hour of playing with that, I popped in my Windows disc and chose the option to repair Windows. That fixed the problem of Windows not starting up, but I scanned my computer again with the Eset scanner to see if maybe my bugs were gone. They were not, however, I would like to post the newest log from that scan. It seems the issue with java had been resolved as a result of repairing Windows, however the others still remain.

C:\14.tmp multiple threats
C:\Documents and Settings\Angela\Local Settings\Temp\Yfq.exe a variant of Win32/Kryptik.CIM trojan
C:\WINDOWS\retadpu72.exe.tmp a variant of Win32/TrojanDownloader.Agent.BLS trojan
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007963.tmp a variant of Win32/Kryptik.CDM trojan

Maybe you can tell me how to find the C:\14.tmp and the Windows\retadpu files. I wouldn't know where else to look other than by right clicking on the start bar and exploring. Am I doing it wrong?

Thanks again.
 
I have the boxed checked for "Show hidden Files and Folders".
The area I find this under is;
Right Click on Start bar, click "Explore", then under "Tools" I click "Folder Options", then the "View" tab. It is listed under there. That is the only thing I know to do. Is there any other place that I would need to check to make sure all files are shown?
 
Then we use this:

Download OTMoveIt by Old Timer and save it to your Desktop.
  • Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code:
:files
C:\14.tmp
C:\WINDOWS\retadpu72.exe.tmp
  • Return to OTMoveIt, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
Ok, here is the report:

========== FILES ==========
C:\14.tmp moved successfully.
C:\WINDOWS\retadpu72.exe.tmp moved successfully.

OTM by OldTimer - Version 3.1.9.0 log created on 02242010_134856
 
Well, my computer appears to be running normal again. My browser isn't going all crazy on me. Just for giggles, I ran that Eset virus scanner again and it said I had threats. Here is the log from it.

C:\RECYCLER\S-1-5-21-1957994488-1229272821-725345543-1004\Dc425.tmp a variant of Win32/Kryptik.CDM trojan
C:\_OTM\MovedFiles\02242010_134856\C_\14.tmp multiple threats
C:\_OTM\MovedFiles\02242010_134856\C_WINDOWS\retadpu72.exe.tmp a variant of Win32/TrojanDownloader.Agent.BLS trojan

Should I be worried about these or am I ok now?

Thanks so much for all your help.
 
Good :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
Back
Top