# Solved: C:\Windows\System32\msupdte.exe &amp; NTVDM CPU illegal instruction error on rebo



## JenRar (Jul 4, 2008)

Hi all,

I just did a reformat not too long ago so this is a fairly clean install. I don't think I've gotten any virus or malware but when this started popping up, I figured I'd better make sure. I've run AVG & a few other scans of things with no results. Here is the error and my HijackThis log. If you guys don't see anything amiss, I'll sic my husband on the error and let him have at trying to find the cause. lol TIA!

On reboot, an MS-DOS window opens along with this error window:
16 bit MS-DOS sybsystem
C:\WINDOWS\system32\msupdte.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0000 IP:0077 OP:f0 37 05 0e 02 Choose 'Close' to terminate the application.

Then gives a Close and Ignore choice.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:18 PM, on 7/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6480 bytes


----------



## OldTimer (Mar 28, 2008)

Hello JenRar and welcome to TSG. Yes, the system is infected. Let's see what else we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

Double-click *ATF-Cleaner.exe* to run the program.
Click *Select All* found at the bottom of the list.
Click the *Empty Selected* button.
If you use Firefox browser, do this also:

Click *Firefox* at the top and choose *Select All* from the list.
Click the *Empty Selected* button.
*NOTE* : If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser, do this also:

Click *Opera* at the top and choose *Select All* from the list.
*NOTE* : If you would like to keep your saved passwords, please click *No* at the prompt.
*Close ALL Internet browsers* (very important).
Click the *Empty Selected* button.
Click *Exit* on the Main menu to close the program.

Now download OTScanIt from *here* or *here* to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

*Note: You must be logged on to the system with an account that has Administrator privileges to run this program.*


Close *ALL OTHER PROGRAMS*.
Open the *OTScanIt folder* and double-click on *OTScanIt.exe* to start the program (if you are running on Vista then right-click the program and choose *Run as Administrator*).
[*]In the *Drivers* section click on *Non-Microsoft*.
[*]Under *Additional Scans* click the checkboxes in front of the following items to select them:
Reg - BotCheck
File - Additional Folder Scans


*Do not change any other settings.*
Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.
Use the *Add Reply* button and *attach* the file in your next post (do *not* try to copy/paste it into the post).

Cheers.

OT


----------



## JenRar (Jul 4, 2008)

Thanks for helping.  I'm currently using our other computer to post this and my husband disconnected the other one from the network after following the instructions & running the scan. Here is the log from it.


----------



## OldTimer (Mar 28, 2008)

Hi JenRar. It doesn't look too bad. Let's see what we can do with it. Follow the steps below in order:

Step #1

Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Files to delete:
%systemroot%\system32\msupdte.exe
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
```
_*Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

Now, *start The Avenger program* by clicking on its icon on your desktop.

 Click in the window labeled *Input Scrupt Here* and paste the text copied to the clipboard into it by pressing (*Ctrl+V*).
 Click the *Execute* button
 Answer "*Yes*" twice when prompted.

*The Avenger will automatically do the following*:

It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the *Run Fix* button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Microsoft WinUpdate -> %SystemRoot%\system32\msupdte.exe [C:\WINDOWS\system32\msupdte.exe]
[Files/Folders - Created Within 30 days]
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> msupdte.exe -> %SystemRoot%\System32\msupdte.exe
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> @Alternate Data Stream - 22294 bytes -> %SystemRoot%\system32:wupdate
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\Application Data\TEMP:2871B698
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\Application Data\TEMP:4F96D8E6
NY -> @Alternate Data Stream - 211 bytes -> %AllUsersProfile%\Application Data\TEMP:953FDC1A
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\Application Data\TEMP:CC7738DB
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\Application Data\TEMP:EC7C9796
[Files/Folders - Modified Within 30 days]
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> msupdte.exe -> %SystemRoot%\System32\msupdte.exe
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> @Alternate Data Stream - 22294 bytes -> %SystemRoot%\system32:wupdate
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\Application Data\TEMP:2871B698
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\Application Data\TEMP:4F96D8E6
NY -> @Alternate Data Stream - 211 bytes -> %AllUsersProfile%\Application Data\TEMP:953FDC1A
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\Application Data\TEMP:CC7738DB
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersProfile%\Application Data\TEMP:EC7C9796
[Empty Temp Folders]
[Start Explorer]
```
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the *Ok* button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the *F-Secure Online Scanner*

Note: *This Scanner is for Internet Explorer Only!*
Click on *Online Services* and then *Online Scanner*
Accept the License Agreement.
Once the ActiveX installs,Click *Full System Scan*
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the *Automatic cleaning (recommended)* button.
Click the *Show Report* button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with *Kaspersky WebScanner*

Click on *Kaspersky Online Scanner*

You will be prompted to install an ActiveX component from Kaspersky, click *Yes*.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on *NEXT*
Now click on *Scan Settings*
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click *OK*
Now under select a target to scan:
Select *My Computer*

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Click on the *Save as Text* button:
Save the file to your desktop.
 Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

*Note: You must be logged on to the system with an account that has Administrator privileges to run this program.*

Close *ALL OTHER PROGRAMS*.
Open the *OTScanIt folder* and double-click on *OTScanIt.exe* to start the program (if you are running on Vista then right-click the program and choose *Run as Administrator*).
Under *Additional Scans* click the checkboxes in front of the following items to select them:

Reg - BotCheck
File - Additional Folder Scans


*Do not change any other settings.*
Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
Close OTScanIt and locate the *OTScanIt.txt* file in the folder where OTScanIt.exe is located.
*Attach* that file back here in your next reply.

Step #5

*Copy/paste* the following back here in your next reply:

The *Avenger report* (c:\Avenger.txt)
The latest *OTScanIt fix log* (look in the *OTScanIt* folder for the *MovedFiles* folder. In that folder will be a file with a name in the form of *mmddyyyy_hhmmss.log* for month, day, year, hours, minutes, and seconds that the scan was run. )
The *online virus scan report* (whichever one you ran)

*Attach* the following back here in your next reply:

The new *OTScanIt scan log*

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT


----------



## JenRar (Jul 4, 2008)

The Avenger report:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\msupdte.exe" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
---------------------------------

OTScanIt fix log:
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft WinUpdate deleted successfully.
File C:\WINDOWS\system32\msupdte.exe not found.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\msupdte.exe not found!
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\NV31441584.TMP folder deleted successfully.
File delete failed. C:\WINDOWS\S32024058.tmp scheduled to be deleted on reboot.
ADS C:\WINDOWS\system32:wupdate deleted successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2871B698 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4F96D8E6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:953FDC1A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CC7738DB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EC7C9796 deleted successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\msupdte.exe not found!
File delete failed. C:\WINDOWS\S32024058.tmp scheduled to be deleted on reboot.
Unable to delete ADS C:\WINDOWS\system32:wupdate .
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:2871B698 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:4F96D8E6 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:953FDC1A .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:CC7738DB .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:EC7C9796 .
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.1 fix logfile created on 07072008_175150

Files moved on Reboot...
File move failed. C:\WINDOWS\S32024058.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\jenrar\Local Settings\Application Data\Mozilla\Firefox\Profiles\l9k9lop7.default\XUL.mfl moved successfully.

---------------------------------

Online virus scan report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 08, 2008 02:46:18
Records in database: 924412
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 85580
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:05:21

File name / Threat name / Threats count
C:\Documents and Settings\jenrar\Desktop\Old Stuff\Programs\Done\Windows_XP_Key_Veiwer.exe Infected: not-a-virusSWTool.Win32.RAS.a 2

The selected area was scanned.

Hope that's all you needed. heh My husband ran all the scans & what not, so I hope I posted all the right stuff.


----------



## OldTimer (Mar 28, 2008)

Hi JenRar. Everything looks good. Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT


----------



## JenRar (Jul 4, 2008)

Hi,

Sorry it took so long to get back to this. Had some things going on so couldn't take the time to get back on this desktop and make sure it was working. I've been on it for several days now though and haven't had any issues. It's rebooting a lot faster and I don't see any problems. Please let me know if anything else needs done now. 

Also, I'm wondering if I should run a new scan by you since I reinstalled a lot of the programs I had before, etc. Just worried it was something in one of those. Last month we had someone hack into my gmail & paypal accounts and steal $1600 from my bank account, so we're wondering if somehow it was related to the virus stuff on here. Thankfully the bank worked with us and refunded the money since Paypal was absolutely zero help. But I want to make sure there is nothing on here still that will cause that again! lol

Thanks,

Jenny


----------



## OldTimer (Mar 28, 2008)

Hi JenRar. Unless you are getting the same popups and such I would say that the machine probably isn't infected again (yet) but you could post a new HijackThis log and I'll take a look at it. 

If any of the programs recently reinstalled were downoaded from P2P (file-sharing) networks then the potential to get reinfected rises dramatically. Those networks are a prime source of infections and most of the infections being passed around on them can blow right by any installed security apps like AV's and AS's. They just have no way to stop them. I would highly discourage using any P2P network or any files/programs that come from them.

Cheers.

OT


----------



## JenRar (Jul 4, 2008)

Ok, great.  No popups and shouldn't have any other reason to worry then.

Thanks so much!


----------



## OldTimer (Mar 28, 2008)

Soungs good JenRar. Then let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set. You can mark this thread as Solved.

Step #1

*Reset and Re-enable your System Restore* to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)


*1. Turn off System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.

*2. Restart your computer.*

*3. Turn ON System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
UN-Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.


*System Restore will now be active again.*

Step #2

To remove all of the tools we used and the files and folders they created do the following:



Start *OTScanIt*
Click the *CleanUp* button
OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click *Yes*.

After that you are good to go.

Cheers and Happy Computing!

OT


----------



## JenRar (Jul 4, 2008)

Thanks! Did that and going to mark the thread. 

I appreciate your help. This site rocks!


----------

