win32/Heur Virus - an SOS message

[Collins]

My PC has been attacked by Win32/Heur virus.  I detected it last week and it is taking over all the programs on my PC.  I need urgent help in removing this virus as I suspect it will destroy my PC if I am able to eliminate it.  It is spreading fast.  Pls help!!!

[Collins]

The virus is eating up my PC.  Pls somebody help me!!!  It attacks different programs daily.  Pls help me before I lose my computer entirely.

[evilfantasy]

Have a look here http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Collins]

I cannot get the ccleaner to work.
I doesnt stay on the desktop.  When I double click on the ccleaner icon on the desktop and then on the options tab, the cclean display vanishes from the desktop.

I was using AVG8 but the virus attacked the avgupdate executing file and so I am able to update.  What should I do?  Should I instal one of the antivirus programs listed?

[evilfantasy]

Try installing MalwareBytes and let me know what happens.

[Collins]

Find below the result of the Malwarebytes Scan on my PC as instructed.

Malwarebytes' Anti-Malware 1.34
Database version: 1804
Windows 5.1.2600 Service Pack 2

2/26/2009 2:51:17 AM
mbam-log-2009-02-26 (02-51-17).txt

Scan type: Quick Scan
Objects scanned: 77393
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4020100d-29d7-4392-afd5-5ad713ff4b88} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4020100d-29d7-4392-afd5-5ad713ff4b88} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\companyname (Rogue.ContentEraser) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\COLLINS\Application Data\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\COLLINS\Application Data\WinAnonymous\Logs (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\WinAnonymous\config.ini (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Program Files\WinAnonymous\Scan_report.htm (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAnonymous\Abbr (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAnonymous\prod_code (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\COLLINS\Application Data\WinAnonymous\Logs\update.log (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\WINDOWS\BMdbdc41e6.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMdbdc41e6.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


[attachment deleted by admin]

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Collins]

Pls find attached the logfile from the combofix.

Regards,
Collins

[attachment deleted by admin]

[evilfantasy]

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[Collins]

Hello,
Pls, Find attached the log file per your instructions.

[attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\program files\NoAdware

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Barsaka"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Collins]

Find attached the log file for the combofix scan.

I have just realised that the Task Manager on the PC is not working.  It is not highlighted when I right click on the task bar.  How do I re instate it.  I am suspecting the win32/Heur virus may have caused it.

[attachment deleted by admin]

[evilfantasy]

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.     
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK  button.

Code: [Select]

C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

[Collins]

Find below the SDFix Report.

SDFix: Version 1.240
Run by COLLINS on Sun 03/01/2009 at 07:02 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 07:48:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:ipsec"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:ipsec"
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"C:\\Program Files\\WordPerfect Mail\\Programs\\bin\\WPMail.exe"="C:\\Program Files\\WordPerfect Mail\\Programs\\bin\\WPMail.exe:*:Enabled:WordPerfect MAIL for Windows"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe:*:Enabled:Nero ControlCenter"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe:*:Enabled:ipsec"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"G:\\MyDwnloadFile\\Creative LiveDrvUni-Pack(ENG) -SdBLASTERLIVEUPDATE - 12-07-05.exe"="G:\\MyDwnloadFile\\Creative LiveDrvUni-Pack(ENG) -SdBLASTERLIVEUPDATE - 12-07-05.exe:*:Enabled:ipsec"
"C:\\WINDOWS\\system32\\wscntfy.exe"="C:\\WINDOWS\\system32\\wscntfy.exe:*:Enabled:ipsec"
"C:\\Program Files\\AVG\\AVG8\\avgui.exe"="C:\\Program Files\\AVG\\AVG8\\avgui.exe:*:Enabled:ipsec"
"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVDtray.exe"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVDtray.exe:*:Enabled:ipsec"
"C:\\Program Files\\AVG\\AVG8\\avgscanx.exe"="C:\\Program Files\\AVG\\AVG8\\avgscanx.exe:*:Enabled:ipsec"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE:*:Enabled:ipsec"
"C:\\PROGRA~1\\AVG\\AVG8\\avgemc.exe"="C:\\PROGRA~1\\AVG\\AVG8\\avgemc.exe:*:Enabled:ipsec"
"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE:*:Enabled:ipsec"
"C:\\Program Files\\ASUS\\Asus Probe\\AsusProb.exe"="C:\\Program Files\\ASUS\\Asus Probe\\AsusProb.exe:*:Enabled:ipsec"
"C:\\PROGRA~1\\AVG\\AVG8\\avgupd.exe"="C:\\PROGRA~1\\AVG\\AVG8\\avgupd.exe:*:Enabled:ipsec"
"C:\\Program Files\\Logitech\\Video\\ISStart.exe"="C:\\Program Files\\Logitech\\Video\\ISStart.exe:*:Enabled:ipsec"
"C:\\WINDOWS\\AGRSMMSG.exe"="C:\\WINDOWS\\AGRSMMSG.exe:*:Enabled:ipsec"
"C:\\Program Files\\Creative\\SBLive\\PlayCenter2\\CTNMRun.exe"="C:\\Program Files\\Creative\\SBLive\\PlayCenter2\\CTNMRun.exe:*:Enabled:ipsec"
"C:\\Program Files\\iTunes\\iTunesHelper.exe"="C:\\Program Files\\iTunes\\iTunesHelper.exe:*:Enabled:ipsec"
"C:\\PROGRA~1\\AVG\\AVG8\\avgnsx.exe"="C:\\PROGRA~1\\AVG\\AVG8\\avgnsx.exe:*:Enabled:ipsec"
"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe:*:Enabled:ipsec"
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe:*:Enabled:ipsec"
"C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009     1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009     5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009     2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 14 Jun 2008             8 ..SHR --- "C:\WINDOWS\system32\07BCB660F9.sys"
Mon 17 Mar 2008            88 A.SHR --- "C:\WINDOWS\system32\E0E3AF777A.sys"
Sat 14 Jun 2008         9,862 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 19 Mar 2008            88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\E0E3AF777A.sys"
Tue 20 Jan 2009         2,880 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Tue 29 Nov 2005       262,144 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\DVDMPEG2Enc.dll"
Tue 29 Nov 2005        84,604 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\movie_maker.exe"
Tue 29 Nov 2005        61,440 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\NeASL.dll"
Tue 29 Nov 2005        95,892 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\Nero PhotoShow Express.exe"
Sun  1 Mar 2009     8,129,896 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2064d652e93807b954225d9ba4a6b219\BIT3A.tmp"
Sun  1 Mar 2009     8,129,896 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2064d652e93807b954225d9ba4a6b219\BIT56.tmp"
Sun  1 Mar 2009     4,909,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\311b85005aa2bc8a145a290cf5a139f2\BITB.tmp"
Sun  1 Mar 2009     8,822,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\38f348c87f8c2315e0e711a1f264b063\BIT39.tmp"
Wed 25 Feb 2009     4,865,408 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3dc4dbb460c51f10af947c31d0b396de\BIT3E.tmp"
Sun  1 Mar 2009     4,865,408 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3dc4dbb460c51f10af947c31d0b396de\BIT64.tmp"
Sun  1 Mar 2009     7,669,009 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f48480c3bff7fa275c02353aba158bb\BIT3D.tmp"
Sun  1 Mar 2009     7,669,009 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f48480c3bff7fa275c02353aba158bb\BIT63.tmp"
Sat 28 Feb 2009    25,634,737 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\695c9577cb50850d8e388f3cadd1563d\BIT15.tmp"
Sat 28 Feb 2009    50,828,850 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6a50f5f0959a43a8e56a65919822bf2a\BIT19.tmp"
Sat 28 Feb 2009    42,740,760 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b8c200714ca2ac002bccebc74daeb3e\BIT1A.tmp"
Sat 28 Feb 2009    37,038,096 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\828e78e94bef91c4ecbc3e1b0a1b35ed\BIT17.tmp"
Sun  1 Mar 2009     2,863,144 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\831bad3f3b8bd3511c8a4e905fa7f844\BIT3B.tmp"
Sun  1 Mar 2009     9,448,904 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8d8a1db5b2c187dfff9360bceec5d807\BIT3C.tmp"
Sat 28 Feb 2009     3,030,568 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3e9e7327f38776a4eeeb084da3eff5a\BIT18.tmp"
Sun  1 Mar 2009     9,237,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b78797d4e2ea9a8dcbe3140f470c3736\BIT47.tmp"
Sun  1 Mar 2009     3,552,839 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bd64172cd2143fb5d6d9c864a6da8395\BIT38.tmp"
Sun  1 Mar 2009     9,249,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c583e569e1f1773d32894dc0975498a1\BIT18.tmp"
Sun  1 Mar 2009     9,249,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c583e569e1f1773d32894dc0975498a1\BIT37.tmp"
Sat 28 Feb 2009   113,491,064 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d9f6fad75dbdac35a8ef8c60acfcb1a4\BIT16.tmp"
Sun  1 Mar 2009     5,687,304 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb185b7c3743a27be869545db996079\BIT34.tmp"
Sun  1 Mar 2009     5,687,304 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb185b7c3743a27be869545db996079\BIT49.tmp"
Sun  1 Mar 2009     9,006,448 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc\BIT35.tmp"
Sat  7 Feb 2009           444 ...HR --- "C:\Documents and Settings\COLLINS\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun  1 Mar 2009    36,016,335 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\download\BIT23.tmp"
Sun  1 Mar 2009    10,246,065 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fba53b5b7fa98bdc2fa6b2e0759b4674\download\BIT9.tmp"

Finished!



[attachment deleted by admin]

[evilfantasy]

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double click LopSD.exe - If you are using Windows Vista, right-click on the LopSD icon and select Run as administrator to perform this scan.

• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt
.
----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.