Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Antivirus Xp 2008

  • Please log in to reply
11 replies to this topic

#1 Cloud13


  • Members
  • 46 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:15 AM

Posted 24 August 2008 - 09:39 AM

Hello people. I'm really hoping you can help me, it's starting to take a toll on my health, it would seem.

The computer is a Dell desktop, with 4 profiles: Mine, one each for my parents, and one for my sister. My sis's is restricted, while the others are administrators. I was using mine at the time.

The other day I was browsing on the internets normally. I can't recall going anywhere fishy. Perhaps the closest is when I tried to download a YouTube video from a site I'd never been to before...

Unexpectedly, a box popped out to ask me to install Antivirus XP 2008. I assumed it was a pop up, but didn't see any X or whatever. I looked down at the tray, and the box for the installation had the logo next to it from running a .exe file. I right clicked that and did Close. It didn't respond, and the Not Responding box came up. I clicked End Now. A little while later it popped up again. This time I just opened the task manager and ended the process.

I assumed everything was fine.

When I was done on the computer, I closed FireFox and was horrified to see the background changed to a horrid blue, with "Warning! Spyware detected on your PC!" in a yellow and blue box in the middle. I right clicked for the properties, but Desktop and one other, I think it was appearances, were missing. I looked on the internet about that problem, and some people recommended SuperAntiSpyware. I downloaded it and ran it, then went to watch tv with a sinking feeling. I believe at the time already the internet was running slowly, and certain websites were 404s.

I went back to the computer before bed, but it all seem to have messed up, like it was tying to log me off. There also seemed to be a blue screen of death. I turned off the computer, feeling really bad. The next morning, I tried to turn on the computer to run the SAS again. I decided to see if the background problem was only on my profile(stupidly) and opened my dad's. I breathed a sigh of relief when it was his normal background, but then did facepalm when it turned to the blue one.

I believe I tried to run the SAS, but nothing would respond. I turned off the computer, then turned it out again. When it got to the part where it says, "Windows is starting up..." before the profile selection, it was stuck. I began feeling more distraught. I turned on the comp in Safe Mode and ran SAS. it found stuff, but didn't solve the problem.

I looked on Google on my laptop about Antivirus XP 2008, and deleted a fishy sounding C:/Program Files/(random letters and numbers).

Then I searched the C:/Windows for the .bmp file for the Spyware Detected image. I deleted that, and searched for everything that had the last 4 characters of it and deleted those. I also found the same thingy in msconfig, and unchecked it. I looked in regedit and deleted the registry(I hope). I changed the registry values of the Desktop thing, and restarted my comp in normal mode.

I used my profile this time, and was able to load and not freeze up. I was pleased to see that I was able to change the wallpaper, and had the tabs back in the properties menu.

However, I opened FireFox and searched Google for Antivirus XP 2008 again, to see if I forgot anything, but I saw that all the results would redirect me. Some sites are still 404s, and it's running slow as molasses. I found a direct download of Malwarebytes, which I heard could finish it off, but when I tried to run the .exe, it said the setup was corrupted.

What can I still do to fix this? I was going to do a system restore, but apparently the computer never made one. I am willing to reformat, but only as a last resort, and if I'm able to back up all the emails of my mom's, and documents and stuff.

Your help is appreciated. It's really making me sad all the time now, and having a feeling of hopelessness, especially since I'm one of the most computer savvy people I know in real life. Perhaps it also seems bad to me, because I'm really clean and safe and stuff on that desktop, while on my laptop I can be risky, yet it still works fine. (Except for not allowing login pages like eBay, Hotmail, Yahoo, etc. to work, but I suppose that's another thread.)

Edited by Cloud13, 24 August 2008 - 09:41 AM.

BC AdBot (Login to Remove)


#2 rigel



  • Members
  • 12,944 posts
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:15 AM

Posted 24 August 2008 - 03:24 PM

Hi Cloud13,

Welcome to BleepingComputer.

Let's start with a couple of things... Please try to redownload Malwarebytes again. If you have to, try one of the alternate download sites listed below. If you are unable to get a good copy, try downloading MBAM with another computer. Be sure to download the updates as well. We can save it to a flash drive. Please also post the result of your SAS log.

If you are sucessful with the MBAM download, run the following procedure:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#3 Cloud13

  • Topic Starter

  • Members
  • 46 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:15 AM

Posted 26 August 2008 - 02:33 PM

Sorry it took me a while to get to this, it's been bothering me, so I've been stalling and what not.

Ok, I turned on the computer, logged onto my profile, then it froze. I restarted, went to the "Windows is starting up," and froze. Then I restarted in Safe Mode and searched for the same string of characters as the previous stuff (started with lhpc or similar), deleted a registry file and folder with that name. I was able to start in normal mode now. though I put the startup config to diagnostic, in case.

I tried those 3 links, but they were all blocked, so I downloaded it onto a usb drive and plugged it in. Thank heavens it was able to install. I scanned with MWB, and it came up with 296 objects infected.

I'm about to remove them and post the log. In real time!

Blimey, that's a lot of &#^@. Hitting Remove Selected!

Quarantining at the mo'. Dang, I'm nervous. It'd better work.

Ok, the log popped up. Oh noes, I can't just copy and paste, so I guess I'll have to transfer the .txt file.

Closed, the log, going to have to find the folder.

Certain items could not be removed! Noooooo!!! Aight, it says I have to reboot. Here I goes.

Ok, it's restarted without a problem (that I can see). Except the tool bar and program windows are vintage Windows 98 looking...

Oh great, now the flash drive won't work.

Now I'm going to run MWB and SAS again to check for anything, then I'm going to restart with all drivers and stuff, since I think it's still in diagnostic.

I tried to do a full system scan with MWB, but my computer was making horrible noises, and the scan was going rather slowly, so I canceled it, then restarted, forgetting to do an SAS sweep, which I shall do now. Though with the full drivers, the display is normal.

SAS came back with 34 detected items. Rebooting to delete.

Apparently, I accidentally deleted the MWB log with all the removed stuff, and the other one I have is clean. I do have the SAS log I just did, though, so I'll put that at the end of the post.

Hmm, Norton just came up with some, "Norton blocked Trojan.Killv" or something like that.

Norton says stuff like:

High level
Downloader detected by virus scanner
Attention Required
Date & Time: 5/10/2008 11:22:55 AM (<-- What the....That was a while ago...)
Risk Name: Downloader
Risk Category: Virus
Risk Level: High w/ three little red blocks
Component: Virus scanner
Risk State: Process Termination Required
Recommended Action: Remove this Security Risk now.

Let's see if I can get rid of it.

"Security risk successfully removed."


Now I should probably do a virus scan, eh? :thumbsup:

It says the last quick scan was today, which I guess is where it just found that one. And the last full scan was the 20th, when I got infected initially. I doubt it actually full ran, though, because it only had a few thousand files, and didn't take very long.

After scanning 389,000 files, I think that it rather complete, lol.

"3 total security risks detected"

2 were resolved automatically, I suppose I need to fix the other.

Simply a low risk Tracking Cookie. And now it is destroyed.

I believe everything has pretty much been done on the scanning side of the house. Now to see how the internet works.

Haha! Bleepingcompter and other such tech sites all work! And Google isn't trying to redirect me! At normal speeds even!

I love you, rigel!

Now do you have any suggestions on anything else I should do before going back to normal surfing?

And here's that SAS log.

SUPERAntiSpyware Scan Log

Generated 08/26/2008 at 01:08 PM

Application Version : 4.15.1000

Core Rules Database Version : 3548
Trace Rules Database Version: 1536

Scan type : Complete Scan
Total Scan Time : 00:41:51

Memory items scanned : 465
Memory threats detected : 0
Registry items scanned : 6066
Registry threats detected : 1
File items scanned : 28964
File threats detected : 33

HKU\S-1-5-21-2969850114-383340074-3976129252-1007\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Adware.Tracking Cookie
C:\Documents and Settings\Austin\Cookies\austin@insightexpressai[2].txt
C:\Documents and Settings\Austin\Cookies\austin@cgi-bin[2].txt
C:\Documents and Settings\Austin\Cookies\austin@www.sex4it[1].txt
C:\Documents and Settings\Austin\Cookies\austin@counter7.sextracker[1].txt
C:\Documents and Settings\Austin\Cookies\austin@doubleclick[1].txt
C:\Documents and Settings\Austin\Cookies\austin@questionmarket[1].txt
C:\Documents and Settings\Austin\Cookies\austin@ads.pointroll[1].txt
C:\Documents and Settings\Austin\Cookies\austin@serviceswitching[1].txt
C:\Documents and Settings\Austin\Cookies\austin@statcounter[1].txt
C:\Documents and Settings\Austin\Cookies\austin@msnportal.112.2o7[1].txt
C:\Documents and Settings\Austin\Cookies\austin@ad.yieldmanager[2].txt
C:\Documents and Settings\Austin\Cookies\austin@serving-sys[2].txt
C:\Documents and Settings\Austin\Cookies\austin@sales.liveperson[2].txt
C:\Documents and Settings\Austin\Cookies\austin@bluestreak[2].txt
C:\Documents and Settings\Austin\Cookies\austin@atdmt[2].txt
C:\Documents and Settings\Austin\Cookies\austin@license.nmp.neuroticmedia[1].txt
C:\Documents and Settings\Austin\Cookies\austin@neuroticmedia[2].txt
C:\Documents and Settings\Austin\Cookies\austin@sales.liveperson[3].txt
C:\Documents and Settings\Austin\Cookies\austin@mediaplex[1].txt
C:\Documents and Settings\Austin\Cookies\austin@cs.sexcounter[2].txt
C:\Documents and Settings\Austin\Cookies\austin@maxserving[2].txt
C:\Documents and Settings\Austin\Cookies\austin@mywebsearch[1].txt
C:\Documents and Settings\Austin\Cookies\austin@specificclick[1].txt
C:\Documents and Settings\Austin\Cookies\austin@bs.serving-sys[1].txt
C:\Documents and Settings\Austin\Cookies\austin@counter2.sextracker[1].txt
C:\Documents and Settings\Austin\Cookies\austin@trafficmp[2].txt
C:\Documents and Settings\Austin\Cookies\austin@2o7[2].txt
C:\Documents and Settings\Austin\Cookies\austin@sextracker[2].txt
C:\Documents and Settings\Austin\Cookies\austin@perf.overture[1].txt
C:\Documents and Settings\Austin\Cookies\austin@tripod[1].txt
C:\Documents and Settings\Austin\Cookies\austin@media6degrees[2].txt
C:\Documents and Settings\Austin\Cookies\austin@counter5.sextracker[1].txt
C:\Documents and Settings\Austin\Cookies\austin@counter14.sextracker[1].txt

#4 rigel



  • Members
  • 12,944 posts
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:15 AM

Posted 26 August 2008 - 03:25 PM

Super job Cloud13!

Let's run Malwarebytes again to see if anything shows back up. Please post the new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#5 Cloud13

  • Topic Starter

  • Members
  • 46 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:15 AM

Posted 26 August 2008 - 05:16 PM

Ok, I ran MWB again, full scan, the log is below.

1 thing detected...

Hopefully this is the end of it.

Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 2

5:14:19 PM 8/26/2008
mbam-log-08-26-2008 (17-14-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 163696
Time elapsed: 55 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.

#6 rigel



  • Members
  • 12,944 posts
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:15 AM

Posted 26 August 2008 - 06:22 PM

Sorry Cloud13,

Something is still there. Let's see if we can find what is causing it to hide and regenerate.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#7 Cloud13

  • Topic Starter

  • Members
  • 46 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:15 AM

Posted 27 August 2008 - 12:39 PM

I was thinking that maybe it found that one with the full scan, and not the quick scan, which I used before.

But I'll try the Online Scan anyways.


I really hoped it'd be clean.

Wednesday, August 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version:
Program database last update: Wednesday, August 27, 2008 15:14:21
Records in database: 1151343

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:

Scan statistics:
Files scanned: 129638
Threat name: 4
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:37:42

File name / Threat name / Threats count
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nukkft9.default\Cache\31E0E940d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nukkft9.default\Cache\43F5E66Ad01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nukkft9.default\Cache\C98D0B82d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Austin\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nukkft9.default\Cache\DCB03648d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Bobbi\Desktop\GV_v1r.exe Infected: Trojan-Downloader.Win32.Small.gkk 1
C:\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\Documents and Settings\Bobbi\Local Settings\Temp\install.exe Infected: Trojan-Downloader.Win32.Small.xix 1
C:\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1008\Dc5.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1009\Dc11.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1

The selected area was scanned.

#8 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,758 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:15 AM

Posted 27 August 2008 - 12:54 PM

You need to clear your Java cache. Follow the iinstructions provided in How do I clear the Java cache?.

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\Documents and Settings\Bobbi\Desktop\GV_v1r.exe
C:\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe
C:\Documents and Settings\Bobbi\Local Settings\Temp\install.exe
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders.

Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
-- Post the log in your next reply and let us know how your computer is running.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Cloud13

  • Topic Starter

  • Members
  • 46 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:15 AM

Posted 27 August 2008 - 09:23 PM

Here are the MoveIt and Dr. Web logs.

Everything seems to be fine, though it did before these were removed, also. Some things just seem to hide and never reveal themselves. :thumbsup:

Explorer killed successfully
C:\Documents and Settings\Bobbi\Desktop\GV_v1r.exe moved successfully.
C:\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe moved successfully.
C:\Documents and Settings\Bobbi\Local Settings\Temp\install.exe moved successfully.
C:\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1008\Dc5.exe moved successfully.
C:\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1009\Dc11.exe moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_sjOiQVSiba8PjyhBMHgh scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version log created on 08272008_143317

Files moved on Reboot...
File C:\DOCUME~1\Austin\LOCALS~1\Temp\etilqs_sjOiQVSiba8PjyhBMHgh not found!

etZero - First Month Free!.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
A0000112.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2;Trojan.Click.1487;Deleted.;
GV_v1r.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop;Trojan.MulDrop.7901;Deleted.;
mwsSetup.CommonCodebase.exe\data001;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Websearch;;
mwsSetup.CommonCodebase.exe\data003;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Funweb;;
mwsSetup.CommonCodebase.exe\data004;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Msearch;;
mwsSetup.CommonCodebase.exe\data005;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Websearch;;
mwsSetup.CommonCodebase.exe\data006;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Trojan.Isbar.438;;
mwsSetup.CommonCodebase.exe\data007;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Funweb;;
mwsSetup.CommonCodebase.exe\data008;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Funweb;;
mwsSetup.CommonCodebase.exe\data009;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001\mwsSetup.Comm;Adware.Msearch;;
mwsSetup.CommonCodebase.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data001;Archive contains infected objects;;
data001;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe;Archive contains infected objects;;
data002\mwsSrcSp.CommonCodebase.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe\data002;Adware.Websearch;;
data002;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop\WebfettiSetup2.2.60.11-2.exe;Archive contains infected objects;;
WebfettiSetup2.2.60.11-2.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Desktop;Archive contains infected objects;Moved.;
install.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\Documents and Settings\Bobbi\Local Settings\Temp;Adware.WebBuying.12;;
mwsSetup.Zwinky.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1008\Dc5.exe\data001;Archive contains infected objects;;
data001;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1008\Dc5.exe;Archive contains infected objects;;
data002;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1008\Dc5.exe;Archive contains infected objects;;
Dc5.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1008;Archive contains infected objects;Moved.;
mwsSetup.Zwinky.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1009\Dc11.exe\data001;Archive contains infected objects;;
data001;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1009\Dc11.exe;Archive contains infected objects;;
data002;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1009\Dc11.exe;Archive contains infected objects;;
Dc11.exe;C:\_OTMoveIt\MovedFiles\08272008_143317\RECYCLER\S-1-5-21-2969850114-383340074-3976129252-1009;Archive contains infected objects;Moved.;

#10 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,758 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:15 AM

Posted 28 August 2008 - 07:20 AM

Connect to the Internet and double-click on OTMoveIt2.exe to launch the program again.
  • Click on the green CleanUp! button.
  • When you do this, a text file named cleanup.txt will be downloaded from the Internet.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet, please allow the connection.
  • After the text file has been downloaded, you will be asked if you want to Begin cleanup process?
  • Select Yes.
-- Note: Doing this will remove any specialized tools (including this one) downloaded and used. All other programs should be kept on your machine and used on a regular basis.

Then if there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

Edited by quietman7, 28 August 2008 - 07:21 AM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Cloud13

  • Topic Starter

  • Members
  • 46 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:15 AM

Posted 28 August 2008 - 11:23 AM

I did the Clean Up. Went smoothly.

Checked all the profiles, didn't see anything wonky or suspicious.

Made a new Restore Point and deleted the others, all like you said.

I suppose I'm good to go now. Thanks for all the help! :flowers: :thumbsup:

#12 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,758 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:15 AM

Posted 28 August 2008 - 11:29 AM

You're welcome.

For Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users