BleepingComputer.com: Spyware docter detects Trojan but Mcafee does not, help

Please download OTM by OldTimer and save to your Desktop.

• Double-click on OTM.exe to launch the program. Vista/Windows 7 users right-click and select Run As Administrator.
  
• Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.

:Processes
explorer.exe
HARDAWAY.EXE
SCREEN.EXE

:Files
C:\WINDOWS\SYSTEM32\SYSPREP\HARDAWAY.EXE
C:\WINDOWS\SYSTEM32\SYSPREP\SCREEN.EXE 

:Commands
[reboot]

• Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  
• Click the red MoveIt! button.
  
• The list will be processed and the results will be displayed in the right-hand pane.
  
• Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  
• Click Exit when done.
  
• A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.

--Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Quote

This post has been edited by quietman7: 17 June 2011 - 06:20 AM

can i remove all files associated with OTM? It created some desktop.ini can i remove those?

========== PROCESSES ==========
Process explorer.exe killed successfully!
No active process named HARDAWAY.EXE was found!
No active process named SCREEN.EXE was found!
========== FILES ==========
C:\WINDOWS\SYSTEM32\SYSPREP\hardaway.exe moved successfully.
C:\WINDOWS\SYSTEM32\SYSPREP\Screen.exe moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.18.0 log created on 06172011_224549

also some files popped up in C:

autoexec.bat
bootmgr
BOOTSECT.BAK
bootsqm.dat
config.sys
hiberfil.sys
IO.SYS
MSDOS.SYS
pagefile.sys

what do i do with these?

Quote

Leave them alone...they are legitimate files which are normally hidden to protect them. If you can see these files and don't want them to show, you need to Reconfigure Windows to hide protected operating system files.

Same with Desktop.ini which is a text file for configuration settings that allows you to specify how a file system folder will be viewed and handled. It is normally hidden unless Windows is configured to show hidden/protected operating system files in Explorer's Folder Options.

We will remove OTM and its related files when done.

How is your computer running now? Are there any more signs of infection?

thank you superantispyware does not detect anymore malicious content. I also rolled back the driver for my wireless lan and have not received anymore bsod. So how do i remove OTM and its related files?

Connect to the Internet and double-click on OTM.exe to launch the program again.

• Click on the green CleanUp! button.
  
• When you do this, a text file named cleanup.txt will be downloaded from the Internet.
  
• If you get a warning from your firewall or other security programs regarding OTM attempting to contact the Internet, please allow the connection.
  
• After the text file has been downloaded, you will be asked if you want to Begin cleanup process?
• Select Yes.

-- Doing this will remove any specialized tools downloaded and used. If OTM does not delete itself, then delete the file manually when done.
-- Any leftover folders/files which OTM did not remove can be deleted manually (right-click on it and choose delete).

This post has been edited by quietman7: 18 June 2011 - 07:36 AM

When i did CLeanup! the .txt file wasn't downloaded. What happened?

Just ignore that part as it's not used anymore...just continue with Cleanup which should display a list of specialized tools and other related files which you may have downloaded and used.

yeah i have now done the cleanup, i think everything is fine now thank you for the help

You're welcome.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to > Run... and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
  
• Disk Cleanup in Vista
  
• Disk Cleanup in Windows 7