I have a virus of some kind; please help

[Broni]

Good news then

We need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

================================================================

Your computer would greatly benefit from adding another 512MB of RAM.

==============================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  :OTL
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: vzTCPConfig http://www2.verizon.net/help/fios_se...zTCPConfig.CAB (Reg Error: Key error.)
  [11 C:\Documents and Settings\admin\My Documents\*.tmp files -> C:\Documents and Settings\admin\My Documents\*.tmp -> ]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

[tiuqsiz]

All processes killed
Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <O16 - DPF: vzTCPConfig http://www2.verizon.net/help/fios_se...zTCPConfig.CAB (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <[11 C:\Documents and Settings\admin\My Documents\*.tmp files -> C:\Documents and Settings\admin\My Documents\*.tmp -> ]> in the current context!
Error: Unable to interpret <[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]> in the current context!
Error: Unable to interpret <[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]> in the current context!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 99840 bytes
->Temporary Internet Files folder emptied: 18056452 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 21401891 bytes
->Flash cache emptied: 2017893 bytes

User: Administrator
->Temp folder emptied: 40009 bytes
->Temporary Internet Files folder emptied: 33449 bytes
->Flash cache emptied: 134 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1065094 bytes
->Flash cache emptied: 14271 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 41.00 mb


[EMPTYFLASH]

User: admin
->Flash cache emptied: 0 bytes

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08012010_191632

Files\Folders moved on Reboot...
C:\Documents and Settings\admin\Local Settings\Temp\~DF933A.tmp moved successfully.
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DFFD02.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DFFD0D.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DFFD65.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DFFD70.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DFFDA3.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DFFDAE.tmp not found!
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\6904ET46\blank[1].html moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\03BMVRF5\blank[1].html moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\03BMVRF5\launch[1].htm moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_548.dat moved successfully.

Registry entries deleted on Reboot...

[Broni]

You did something wrong.
You either copied my script from email notification, or you didn't copy a whole script, especially a "colon" in front of "OTL".
Please, redo.

[tiuqsiz]

All processes killed
========== OTL ==========
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control vzTCPConfig
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\vzTCPConfig\ not found.
C:\Documents and Settings\admin\My Documents\~WRL0004.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL0359.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL0683.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL1322.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL1923.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL2005.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL2355.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL2894.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL2963.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL3270.tmp deleted successfully.
C:\Documents and Settings\admin\My Documents\~WRL3883.tmp deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 99840 bytes
->Temporary Internet Files folder emptied: 9078030 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 835 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 9.00 mb


[EMPTYFLASH]

User: admin
->Flash cache emptied: 0 bytes

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08012010_193739

Files\Folders moved on Reboot...
C:\Documents and Settings\admin\Local Settings\Temp\~DF45EA.tmp moved successfully.
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DF9A23.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DF9A48.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DF9B37.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DF9B48.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DF9C80.tmp not found!
File\Folder C:\Documents and Settings\admin\Local Settings\Temp\~DF9CDC.tmp not found!
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\CPJNZ0RJ\595035374330785444436b4143656754[2].htm moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\CPJNZ0RJ\595035374330785444436b4143656754[3].htm moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\CPJNZ0RJ\blank[2].html moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\CPJNZ0RJ\launch[1].htm moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\COXM1QOM\blank[1].html moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\COXM1QOM\i0[2].htm moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\91GWEIFH\iepngfix[1].htc moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\91GWEIFH\showthread[1].php moved successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_554.dat moved successfully.

Registry entries deleted on Reboot...

[Broni]

Good

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[tiuqsiz]

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[Broni]

When you're done with Kaspersky...

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop&#174; Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop&#174; Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

[tiuqsiz]

I ran the updates and when it got to 100%, it just hung, and the SETTINGS button continued as greyed out. I had to leave the machine and will retry it tomorrow and get back to you. Not sure why it "hung".

[Broni]

Just retry it....

[tiuqsiz]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 02, 2010 15:12:43
Records in database: 4162558
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 57963
Threats found: 1
Infected objects found: 0
Suspicious objects found: 1
Scan duration: 04:04:42


File name / Threat / Threats count
C:\Documents and Settings\admin\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

[Broni]

Let's see, if we can identify, which piece of mail is suspicious...

Please run a BitDefender Online Scan

• Disable your antivirus program.
• Click Start Scanner button.
• Click Start scan button
• Allow browser plug-in to be installed when prompted.
• Click I Agree to agree to the EULA.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on View log.
• Notepad will open with scan results.
• Save the report to your desktop and post its content in your next reply.

[tiuqsiz]

BitDefender Online Scanner - Real Time Virus ReportBitDefender Online
Scanner - Real Time Virus Report
Generated at: Tue, Aug 03, 2010 - 15:50:49




Scan Info
Scanned Files253867
Infected Files0


Virus Detected
No virus found.





This summary of the scan process will be used by the BitDefender Antivirus
Lab to create agregate statistics about virus activity around the world.

[Broni]

Nothing found, but since Kaspersky reports some suspicious item in your current mail, please be careful with what you open.

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

[tiuqsiz]

Seems to be running fine now. Question: Kapersky reported a suspicious item in my mail. Can you tell if it was an email itself or an attachment to it?

Just wondering.

Thanks again for all your help.

[Broni]

It's impossible to say.
Just be careful with current mail.
Don't click on any unknown link included in mail and make sure to scan any attachment with your AV, before opening it.

Good luck and stay safe