# Backdoor Trojan help for a noob



## pcftw (Nov 17, 2009)

Hi guys, I'm new here, read the sticky about posting HJT logs, so here's my problem:
Today, Norton Antivirus ran its usual scan, coming back with the usual tracker cookie AND:
Backdoor.Trojan

I'm running Vista 64-bit on an HP Pavilion elite.

It also said that it was unable to remove the infected files (there were 3). However, I DL'd and ran Avast, which found no infected files, as well as Malwarebytes, which also returned nothing.

Symptoms that I've had lately are websites redirecting to Myspace.com (not sure if this is related, but it's happened to me with Facebook), and Google.com (happens when I try to play Evony).

Here's my HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:11 AM, on 11/17/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Users\Isaac\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Isaac\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Isaac\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Isaac\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Isaac\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files (x86)\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Isaac\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.27 Safari/532.0" -"http://games.adultswim.com/candy-mountain-massacre-2-action-online-game.html"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 11677 bytes

If I know which files are infected, should I just delete them?

Thanks guys, sorry I'm a noob. All I know is I won't touch anything until you tell me to lol.


----------



## pcftw (Nov 17, 2009)

Update: Avast just found this too; JS:Agent-CV, it recommended me I "Move to chest" so I did that. Sorry I touched it. =(


----------



## pcftw (Nov 17, 2009)

Bump i guess I should uninstall norton if I'm running Avast... gonna go do that now...


----------



## pcftw (Nov 17, 2009)

Uninstalled Norton. Avast hasn't picked up on anything in 3 thorough-scans, neither has Malwarebytes... Anyone know what's going on? Did Norton maybe report a false-positive or something??? Bueller? =P


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Norton could have produced a FP but it's never a good idea to have two anti-virus programs running.

Download *OTS.exe * to your Desktop and double-click on it to extract the files. It will create a folder named *OTS* on your desktop.

Close any open browsers.
If your Real protection or Antivirus intervenes with OTS, allow it to run.
Open the *OTS* folder and double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.

*NOTE: The only people who can see attachments in the HJT forum are: the thread starter, Admins & Mods, and HJT Helpers & Trainees.*


----------



## pcftw (Nov 17, 2009)

Thanks! I will do that ASAP. Just had a question though; I've used the Norton Removal tool and installed Avast! to take its' place. Should I keep Avast! running while I do the OTS scan?


----------



## pcftw (Nov 17, 2009)

Also, is the 30 day ok for the file age?


----------



## cybertech (Apr 16, 2002)

Avast running is fine. 30 age is fine as well.


----------



## pcftw (Nov 17, 2009)

That's all of it lol jeez that's so much... Sorry to bombard you with all that =(


----------



## cybertech (Apr 16, 2002)

Please use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## pcftw (Nov 17, 2009)

okay, sorry bout the wait, here it is!


----------



## cybertech (Apr 16, 2002)

*The P2P programs you have installed expose you to risks* because of the nature of the P2P file sharing process. File sharing/P2P programs rely on members giving and gaining unrestricted access to computers across the P2P network. This practice can make you vulnerable to data and identity theft. It also exposes you to very malicious worms and trojans. You change those risky default settings to a safer configuration but the act of downloading files from an anonymous source greatly increases your exposure to infection.

Start *OTS*. Copy/Paste the information in the Code box below into the pane where it says *Paste fix here* and then click the *Run Fix* button.


```
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "" -> []
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "" -> []
[Files/Folders - Modified Within 30 Days]
NY ->  90 C:\Users\Isaac\AppData\Local\Temp\*.tmp files -> C:\Users\Isaac\AppData\Local\Temp\*.tmp
NY ->  34 C:\Windows\Temp\*.tmp files -> C:\Windows\Temp\*.tmp
[Empty Temp Folders]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. 
*Post that information back here*.

Please run *ESET Online Scanner*

*Note:* You can use IE or FireFox for this scan. You need to disable your current installed Anti-Virus. If you need help with that look *here*.

*Vista users:* You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select *Run as Administrator* from the context menu.


Please go *ESET Online Scanner* and click on the ESET Online Scanner button
Select the option *YES, I accept the Terms of Use* then click on *Start*
When prompted allow the *Add-On/Active X* to install.
Make sure that the option *Remove found threats* is *NOT* checked, and the option *Scan archives* is checked.
Now click on Advanced Settings and select the following:


*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Now click on *Start*
The *virus signature database... *will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the* Online Scan* will begin automatically. 
*Do not* touch either the Mouse or keyboard during the scan otherwise it may stall. 
When completed select *Uninstall application on close* if you so wish, *make sure you copy the logfile first!*
Now click on *Finish*
Use notepad to open the logfile located at *C:\Program Files\ESET\EsetOnlineScanner\log.txt*.
Copy and paste that log as a reply to this topic.
*Note:* Do not forget to re-enable your Anti-Virus application after running the above scan!


----------



## pcftw (Nov 17, 2009)

Hey Cyber, here is the report from OTS:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\Users\Isaac\AppData\Local\Temp\7zSF095.tmp\SymNRT.exe deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\7zSF095.tmp\SymNRT.loc deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\7zSF095.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\AAX39B3.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\AAX3AA2.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\CR_82CB.tmp\SETUP_PATCH.PACKED.7Z deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\CR_82CB.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\CR_CFF5.tmp\SETUP_PATCH.PACKED.7Z deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\CR_CFF5.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\curA1A5.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\DnuA340.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\DnuAF22.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\flaBE3.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\flaCDFF.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\flaD497.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1140844696978833026Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1167211129030509141Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1227142925106845Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1463410801853612540Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1653708402091174838Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1916181159010464298Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ1981251501523852237Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ2040956417969916310Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ2153196712296157519Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ2210667965147831663Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ2624144173556096648Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ274067987228057483Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ2831075692492262616Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ2933281607336138263Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ3124877657602229343Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ3319468105030763654Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ3357220884835762931Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ342007098642986872Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ345284616579612041Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ3782274666457723867Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ3810125319602359585Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ4032269698392503596Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ4082211327089770973Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ4152132568923896345Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ4185283314126543081Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ4407456185848187097Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ447083543566369959Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ5069127282341543188Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ5517973202798337417Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ5792747355649149304Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ5996011649049139520Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6138174178943761220Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6183989946135455755Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6505234118761609807Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6739529653337545874Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6930961074179148661Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6948372711430804626Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ6982894051082361534Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7077828310931444886Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7214873240270907130Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7436339827931019733Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7655313188941261103Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7708991101270268372Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7805960817387497355Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ7839109356751798667Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8145284367957678462Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8213120668721370235Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8317425920396977009Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8345500516140967018Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8514435979823123513Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8806165116839732226Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\IUJ8838164828540361181Swap.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\jar_cache23106.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\jar_cache5722067913920228486.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\jna27528.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\nsi97F5.tmp\GetVersion.dll deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\nsi97F5.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\nsy4311.tmp\GetVersion.dll deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\nsy4311.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\nszB1FA.tmp\GetVersion.dll deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\nszB1FA.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\pft7908.tmp folder deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\plf7242.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\utt5FB3.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\utt6EDE.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\utt801B.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\utt842.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttA9DD.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttAEDC.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttB69A.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttBABC.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttC1AF.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttC91C.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\uttE4B.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DF360C.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DF50B.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DFAA1B.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DFCEC7.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DFDB9C.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DFDCDC.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~DFE2AE.tmp deleted successfully.
C:\Users\Isaac\AppData\Local\Temp\~nsu.tmp folder deleted successfully.
C:\Windows\Temp\DMIF640.tmp deleted successfully.
C:\Windows\Temp\mdf1481.tmp folder deleted successfully.
C:\Windows\Temp\mdf1b55.tmp folder deleted successfully.
C:\Windows\Temp\mdf1c82.tmp folder deleted successfully.
C:\Windows\Temp\mdf1dd7.tmp folder deleted successfully.
C:\Windows\Temp\mdf1e0e.tmp folder deleted successfully.
C:\Windows\Temp\mdf1f72.tmp folder deleted successfully.
C:\Windows\Temp\mdf2044.tmp folder deleted successfully.
C:\Windows\Temp\mdf218f.tmp folder deleted successfully.
C:\Windows\Temp\mdf22d3.tmp folder deleted successfully.
C:\Windows\Temp\mdf22f6.tmp folder deleted successfully.
C:\Windows\Temp\mdf2595.tmp folder deleted successfully.
C:\Windows\Temp\mdf2ee7.tmp folder deleted successfully.
C:\Windows\Temp\mdf3125.tmp folder deleted successfully.
C:\Windows\Temp\mdf3b3d.tmp folder deleted successfully.
C:\Windows\Temp\mdf3fd6.tmp folder deleted successfully.
C:\Windows\Temp\mdf4af7.tmp folder deleted successfully.
C:\Windows\Temp\mdf572c.tmp folder deleted successfully.
C:\Windows\Temp\mdf5d72.tmp folder deleted successfully.
C:\Windows\Temp\mdf5f3e.tmp folder deleted successfully.
C:\Windows\Temp\mdf5f43.tmp folder deleted successfully.
C:\Windows\Temp\mdf5fb2.tmp folder deleted successfully.
C:\Windows\Temp\mdf6216.tmp folder deleted successfully.
C:\Windows\Temp\mdf62e6.tmp folder deleted successfully.
C:\Windows\Temp\mdf6551.tmp folder deleted successfully.
C:\Windows\Temp\mdf65e2.tmp folder deleted successfully.
C:\Windows\Temp\mdf704.tmp folder deleted successfully.
C:\Windows\Temp\mdf71c7.tmp folder deleted successfully.
C:\Windows\Temp\mdf7614.tmp folder deleted successfully.
C:\Windows\Temp\mdf7be.tmp folder deleted successfully.
C:\Windows\Temp\mdf7c7b.tmp folder deleted successfully.
C:\Windows\Temp\mdf7fa4.tmp folder deleted successfully.
C:\Windows\Temp\mdf8da.tmp folder deleted successfully.
C:\Windows\Temp\TMP2DD0.tmp deleted successfully.
[Empty Temp Folders]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Isaac
->Temp folder emptied: 315425800 bytes
->Temporary Internet Files folder emptied: 123820363 bytes
->Java cache emptied: 34392427 bytes
->FireFox cache emptied: 78483189 bytes
->Apple Safari cache emptied: 107680821 bytes

User: Public

User: Tracy
->Temp folder emptied: 91990 bytes
->Temporary Internet Files folder emptied: 308298 bytes
->FireFox cache emptied: 22373455 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
Windows Temp folder emptied: 56534154 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 119268 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 25494360 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 23366 bytes

Total Files Cleaned = 729.38 mb

< End of fix log >
OTS by OldTimer - Version 3.1.8.2 fix logfile created on 12012009_203216

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


----------



## pcftw (Nov 17, 2009)

Yikes it seems I have some yuckies. That mp3 I've had for a very long time, from when I was using Limewire... I hope all my info hasn't been stolen or anything because of it. Stopped using Limewire for that reason, and I will uninstall/delete the p2p programs as soon as it's safe.


[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=5cd788048191984fa7741d9192817dae
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-02 04:36:23
# local_time=2009-12-01 11:36:23 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 352880 352880 0 0
# compatibility_mode=769 16775165 100 98 0 195079244 0 0
# compatibility_mode=5892 16776638 100 56 0 96321996 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=267370
# found=3
# cleaned=0
# scan_time=5292
C:\Users\Isaac\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002d42 multiple threats 00000000000000000000000000000000 I
C:\Users\Isaac\Documents\Downloads\setup.exe multiple threats 00000000000000000000000000000000 I
C:\Users\Isaac\Documents\LimeWire\Saved\hallowed be thy name(Club RMX).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I


----------



## cybertech (Apr 16, 2002)

After you have deleted those files let me know if you are still having problems.


----------



## pcftw (Nov 17, 2009)

So just delete them? No special way, just drop em in the recycle bin and flush?


----------



## cybertech (Apr 16, 2002)

Yes that will be fine.


----------



## pcftw (Nov 17, 2009)

Thank you so much Cyber. I've got some peace of mind back and will be more weary of what I do with my computer now. I just was wondering, what does all the HJT and OTS stuff mean and how did you know what to do with it? I'm sorry if that's a broad question, I'm a noob at stuff like this, so I just want to learn lol. Thanks again!


----------



## cybertech (Apr 16, 2002)

HJT and OTS are tools we use since we can't sit down at your computer.  I've been working with computers for long time but there is training available if someone is interested in learning and helping us out.

See how to *Become Authorized for Malware Removal* in the new TSG Library of Knowledge.

Now you *should* remove OTS and the files and folders it created. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.


Start *OTS*
Click the *CleanUp* button
OTS will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
OTS will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself.

Click *Yes*.

You're welcome!


----------

