Rootkit.order

Discussion in 'Malware Help (A Specialist Will Reply)' started by paths, Aug 3, 2008.

  1. paths

    paths Private E-2

    Hello,

    As another poster posted while playing World of Warcraft my account seemed to be key logged so I ran Spydoctor and found a rootkit. After it finished and every thing was said and done I ran it again to be sure and it came up clean. I started browsing around and found the thread stating that malware can be a royal pain to totally get rid of so i decided to go with your Malware removal procedures. As I ran SaS it found what looked to be a keylogger so here I am to see if everything came out alright.

    Appreciate the help!
     

    Attached Files:

    paths, Aug 3, 2008
    #1
  2. paths

    paths Private E-2

    and here is combofix.txt
     

    Attached Files:

    paths, Aug 3, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Did you recently update to Win XP SP3 and then remove it? You have a ton of TMP files left laying around that appear to be from an SP3 update.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 3, 2008
    #3
  4. paths

    paths Private E-2

    Thanks again for all the help! Unfortunatlely sp3 will not load all the way for some unknown reason so it keeps removing itself every time i try to update it.

    The registry was successfully replaced, and here are the logs you've requested.
     

    Attached Files:

    paths, Aug 3, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The I suggest you delete all the left over TMP files from it listed below:
    Code:
    "C:\WINDOWS\pchealth\helpctr\binaries\"
set1992.tmp   Apr 13 2008       38400  "SET1992.tmp"
set6da.tmp    Apr 13 2008       38400  "SET6DA.tmp"
 
"C:\WINDOWS\"
set1867.tmp   Apr 13 2008     1033728  "SET1867.tmp"
set5af.tmp    Apr 13 2008     1033728  "SET5AF.tmp"
   
"C:\WINDOWS\system32\"
set1328.tmp   Apr 13 2008        6656  "SET1328.tmp"
set1329.tmp   Apr 13 2008      108032  "SET1329.tmp"
set132b.tmp   Apr 13 2008       80896  "SET132B.tmp"
set132c.tmp   Apr 13 2008       13824  "SET132C.tmp"
set1330.tmp   Apr 13 2008      354304  "SET1330.tmp"
set1362.tmp   Apr 13 2008      177152  "SET1362.tmp"
set13a9.tmp   Apr 13 2008       30208  "SET13A9.tmp"
set13aa.tmp   Apr 13 2008      110592  "SET13AA.tmp"
set154c.tmp   Apr 13 2008      483840  "SET154C.tmp"
set154d.tmp   Apr 13 2008       52736  "SET154D.tmp"
set154e.tmp   Apr 13 2008      383488  "SET154E.tmp"
set154f.tmp   Apr 13 2008       18432  "SET154F.tmp"
set1551.tmp   Apr 13 2008       22528  "SET1551.tmp"
set1553.tmp   Apr 13 2008       19456  "SET1553.tmp"
set1556.tmp   Apr 13 2008        8192  "SET1556.tmp"
set155b.tmp   Apr 13 2008       19968  "SET155B.tmp"
set155c.tmp   Apr 13 2008       82432  "SET155C.tmp"
set155f.tmp   Apr 13 2008      264192  "SET155F.tmp"
set1564.tmp   Apr 13 2008        5632  "SET1564.tmp"
set1565.tmp   Apr 13 2008       92672  "SET1565.tmp"
set1566.tmp   Apr 13 2008      172032  "SET1566.tmp"
set1569.tmp   Apr 13 2008      176640  "SET1569.tmp"
set156a.tmp   Apr 13 2008       53760  "SET156A.tmp"
set156b.tmp   Apr 13 2008      293376  "SET156B.tmp"
set156d.tmp   Apr 13 2008       99328  "SET156D.tmp"
set156e.tmp   Apr 13 2008       16896  "SET156E.tmp"
set1571.tmp   Apr 13 2008      176128  "SET1571.tmp"
set1572.tmp   Apr 13 2008      507904  "SET1572.tmp"
set1573.tmp   Apr 13 2008       32256  "SET1573.tmp"
set1579.tmp   Apr 13 2008      333824  "SET1579.tmp"
set1580.tmp   Apr 13 2008       68096  "SET1580.tmp"
set1581.tmp   Apr 13 2008       23552  "SET1581.tmp"
set1582.tmp   Apr 13 2008       49152  "SET1582.tmp"
set1585.tmp   Apr 13 2008      175104  "SET1585.tmp"
set1587.tmp   Apr 13 2008      430592  "SET1587.tmp"
set1589.tmp   Apr 13 2008       18944  "SET1589.tmp"
set1590.tmp   Apr 13 2008      218624  "SET1590.tmp"
set1592.tmp   Apr 13 2008      406016  "SET1592.tmp"
set1593.tmp   Apr 13 2008      727040  "SET1593.tmp"
set1594.tmp   Apr 13 2008      578560  "SET1594.tmp"
set1596.tmp   Apr 13 2008       16896  "SET1596.tmp"
set159b.tmp   Apr 13 2008      133632  "SET159B.tmp"
set159c.tmp   Apr 13 2008       13824  "SET159C.tmp"
set159d.tmp   Apr 13 2008       74240  "SET159D.tmp"
set159e.tmp   Apr 13 2008      206848  "SET159E.tmp"
set15a1.tmp   Apr 13 2008      123392  "SET15A1.tmp"
set15a7.tmp   Apr 13 2008       90112  "SET15A7.tmp"
set15ad.tmp   Apr 13 2008      385536  "SET15AD.tmp"
set15ae.tmp   Apr 13 2008      295424  "SET15AE.tmp"
set15b1.tmp   Apr 13 2008       45568  "SET15B1.tmp"
set15b4.tmp   Apr 13 2008      249856  "SET15B4.tmp"
set15b5.tmp   Apr 13 2008      181760  "SET15B5.tmp"
set15bc.tmp   Apr 13 2008      713216  "SET15BC.tmp"
set15bd.tmp   Apr 13 2008       14336  "SET15BD.tmp"
set15c0.tmp   Apr 13 2008      121856  "SET15C0.tmp"
set15c4.tmp   Apr 13 2008       16896  "SET15C4.tmp"
set15cd.tmp   Apr 13 2008       71680  "SET15CD.tmp"
set15ce.tmp   Apr 13 2008       34816  "SET15CE.tmp"
set15d1.tmp   Apr 13 2008      171008  "SET15D1.tmp"
set15d3.tmp   Apr 13 2008       67584  "SET15D3.tmp"
set15d4.tmp   Apr 13 2008      180800  "SET15D4.tmp"
set15d5.tmp   Apr 13 2008       90112  "SET15D5.tmp"
set15d6.tmp   Apr 13 2008      442368  "SET15D6.tmp"
set15d7.tmp   Apr 13 2008       57856  "SET15D7.tmp"
set15d8.tmp   Apr 13 2008       75264  "SET15D8.tmp"
set15e8.tmp   Apr 13 2008      135168  "SET15E8.tmp"
set15ed.tmp   Apr 13 2008      474112  "SET15ED.tmp"
set15ef.tmp   Apr 13 2008       65024  "SET15EF.tmp"
set15f1.tmp   Apr 13 2008       25088  "SET15F1.tmp"
set15f2.tmp   Apr 13 2008     8461312  "SET15F2.tmp"
set15f3.tmp   Apr 13 2008     1499136  "SET15F3.tmp"
set15f6.tmp   Apr 13 2008      140288  "SET15F6.tmp"
set15f7.tmp   Apr 13 2008        5120  "SET15F7.tmp"
set15fb.tmp   Apr 13 2008        7168  "SET15FB.tmp"
set15fc.tmp   Apr 13 2008       39424  "SET15FC.tmp"
set15ff.tmp   Apr 13 2008        5632  "SET15FF.tmp"
set1600.tmp   Apr 13 2008       56320  "SET1600.tmp"
set1601.tmp   Apr 13 2008       18944  "SET1601.tmp"
set1607.tmp   Apr 13 2008      192512  "SET1607.tmp"
set1608.tmp   Apr 13 2008      314880  "SET1608.tmp"
set1609.tmp   Apr 13 2008      181248  "SET1609.tmp"
set1610.tmp   Apr 13 2008       33280  "SET1610.tmp"
set1611.tmp   Apr 13 2008       44032  "SET1611.tmp"
set1614.tmp   Apr 13 2008       92672  "SET1614.tmp"
set1617.tmp   Apr 13 2008      208384  "SET1617.tmp"
set1618.tmp   Apr 13 2008      399360  "SET1618.tmp"
set1619.tmp   Apr 13 2008      584704  "SET1619.tmp"
set161d.tmp   Apr 13 2008       58880  "SET161D.tmp"
set1622.tmp   Apr 13 2008       59904  "SET1622.tmp"
set1623.tmp   Apr 13 2008       49664  "SET1623.tmp"
set162f.tmp   Apr 13 2008      150016  "SET162F.tmp"
set1631.tmp   Apr 13 2008      210944  "SET1631.tmp"
set1633.tmp   Apr 13 2008      186368  "SET1633.tmp"
set1634.tmp   Apr 13 2008       79872  "SET1634.tmp"
set1635.tmp   Apr 13 2008        7680  "SET1635.tmp"
set163b.tmp   Apr 13 2008       18944  "SET163B.tmp"
set1641.tmp   Apr 13 2008       34304  "SET1641.tmp"
set1643.tmp   Apr 13 2008       96768  "SET1643.tmp"
set1644.tmp   Apr 13 2008       23040  "SET1644.tmp"
set1647.tmp   Apr 13 2008       27648  "SET1647.tmp"
set1649.tmp   Apr 13 2008       17408  "SET1649.tmp"
set164c.tmp   Apr 13 2008       15360  "SET164C.tmp"
set165d.tmp   Apr 13 2008       84992  "SET165D.tmp"
set165f.tmp   Apr 13 2008      122880  "SET165F.tmp"
set1660.tmp   Apr 13 2008       74752  "SET1660.tmp"
set1661.tmp   Apr 13 2008     1287168  "SET1661.tmp"
set1668.tmp   Apr 13 2008      147456  "SET1668.tmp"
set1669.tmp   Apr 13 2008       12288  "SET1669.tmp"
set166c.tmp   Apr 13 2008       94208  "SET166C.tmp"
set166d.tmp   Apr 13 2008       65536  "SET166D.tmp"
set166e.tmp   Apr 13 2008       65536  "SET166E.tmp"
set166f.tmp   Apr 13 2008      106496  "SET166F.tmp"
set1670.tmp   Apr 13 2008       32768  "SET1670.tmp"
set1672.tmp   Apr 13 2008       69632  "SET1672.tmp"
set1673.tmp   Apr 13 2008      135168  "SET1673.tmp"
set1674.tmp   Apr 13 2008       24576  "SET1674.tmp"
set1676.tmp   Apr 13 2008       16384  "SET1676.tmp"
set1677.tmp   Apr 13 2008      249856  "SET1677.tmp"
set1678.tmp   Apr 13 2008       67584  "SET1678.tmp"
set167a.tmp   Apr 13 2008      270336  "SET167A.tmp"
set167d.tmp   Apr 13 2008      143360  "SET167D.tmp"
set1682.tmp   Apr 13 2008      118784  "SET1682.tmp"
set1683.tmp   Apr 13 2008       44032  "SET1683.tmp"
set1684.tmp   Apr 13 2008       67072  "SET1684.tmp"
set1689.tmp   Apr 13 2008      247808  "SET1689.tmp"
set168a.tmp   Apr 13 2008      245760  "SET168A.tmp"
set168b.tmp   Apr 13 2008       80896  "SET168B.tmp"
set168d.tmp   Apr 13 2008     1703936  "SET168D.tmp"
set1690.tmp   Apr 13 2008       11776  "SET1690.tmp"
set1692.tmp   Apr 13 2008      198144  "SET1692.tmp"
set1693.tmp   Apr 13 2008      407040  "SET1693.tmp"
set1696.tmp   Apr 13 2008      622592  "SET1696.tmp"
set1697.tmp   Apr 13 2008      337408  "SET1697.tmp"
set169a.tmp   Apr 13 2008       56832  "SET169A.tmp"
set169d.tmp   Apr 13 2008       17920  "SET169D.tmp"
set169e.tmp   Apr 13 2008       36352  "SET169E.tmp"
set16a0.tmp   Apr 13 2008       90624  "SET16A0.tmp"
set16a5.tmp   Apr 13 2008       66560  "SET16A5.tmp"
set16a7.tmp   Apr 13 2008     1104896  "SET16A7.tmp"
set16aa.tmp   Apr 13 2008      245248  "SET16AA.tmp"
set16b0.tmp   Apr 13 2008      343040  "SET16B0.tmp"
set16b1.tmp   Apr 13 2008      413696  "SET16B1.tmp"
set16b2.tmp   Apr 13 2008       57344  "SET16B2.tmp"
set16b4.tmp   Apr 13 2008      195072  "SET16B4.tmp"
set16b5.tmp   Apr 13 2008      116224  "SET16B5.tmp"
set16bb.tmp   Apr 13 2008       48128  "SET16BB.tmp"
set16bc.tmp   Apr 13 2008       29696  "SET16BC.tmp"
set16be.tmp   Apr 13 2008      143360  "SET16BE.tmp"
set16bf.tmp   Apr 13 2008       20480  "SET16BF.tmp"
set16c5.tmp   Apr 13 2008       15360  "SET16C5.tmp"
set16c6.tmp   Apr 13 2008      159232  "SET16C6.tmp"
set16c7.tmp   Apr 13 2008      884736  "SET16C7.tmp"
set16c8.tmp   Apr 13 2008        4608  "SET16C8.tmp"
set16c9.tmp   Apr 13 2008      271360  "SET16C9.tmp"
set16ca.tmp   Apr 13 2008       78848  "SET16CA.tmp"
set16cc.tmp   Apr 13 2008        6656  "SET16CC.tmp"
set16ce.tmp   Apr 13 2008     2843136  "SET16CE.tmp"
set16d1.tmp   Apr 13 2008      997376  "SET16D1.tmp"
set16db.tmp   Apr 13 2008      151552  "SET16DB.tmp"
set16dd.tmp   Apr 13 2008      297984  "SET16DD.tmp"
set16de.tmp   Apr 13 2008       36864  "SET16DE.tmp"
set16df.tmp   Apr 13 2008       12288  "SET16DF.tmp"
set16e1.tmp   Apr 13 2008       73728  "SET16E1.tmp"
set16e3.tmp   Apr 13 2008       57344  "SET16E3.tmp"
set16e8.tmp   Apr 13 2008       71680  "SET16E8.tmp"
set16ea.tmp   Apr 13 2008       87040  "SET16EA.tmp"
set16eb.tmp   Apr 13 2008       59904  "SET16EB.tmp"
set16f1.tmp   Apr 13 2008      153600  "SET16F1.tmp"
set16fc.tmp   Apr 13 2008      586240  "SET16FC.tmp"
set1700.tmp   Apr 13 2008       18944  "SET1700.tmp"
set1701.tmp   Apr 13 2008       22528  "SET1701.tmp"
set1702.tmp   Apr 13 2008     1028096  "SET1702.tmp"
set1705.tmp   Apr 13 2008      118272  "SET1705.tmp"
set170d.tmp   Apr 13 2008       13312  "SET170D.tmp"
set170f.tmp   Apr 13 2008       22016  "SET170F.tmp"
set1714.tmp   Apr 13 2008       97280  "SET1714.tmp"
set1716.tmp   Apr 13 2008       19968  "SET1716.tmp"
set171f.tmp   Apr 13 2008       33280  "SET171F.tmp"
set1721.tmp   Apr 13 2008      299520  "SET1721.tmp"
set172b.tmp   Apr 13 2008      512000  "SET172B.tmp"
set1735.tmp   Apr 13 2008       28160  "SET1735.tmp"
set173d.tmp   Apr 13 2008      183808  "SET173D.tmp"
set1741.tmp   Apr 13 2008      331264  "SET1741.tmp"
set1743.tmp   Apr 13 2008       94720  "SET1743.tmp"
set1745.tmp   Apr 13 2008       17408  "SET1745.tmp"
set174b.tmp   Apr 13 2008       75264  "SET174B.tmp"
set174f.tmp   Apr 13 2008      110080  "SET174F.tmp"
set1760.tmp   Apr 13 2008       11264  "SET1760.tmp"
set1766.tmp   Apr 13 2008      344064  "SET1766.tmp"
set1768.tmp   Apr 13 2008       21504  "SET1768.tmp"
set1769.tmp   Apr 13 2008       29696  "SET1769.tmp"
set176a.tmp   Apr 13 2008       20992  "SET176A.tmp"
set176c.tmp   Apr 13 2008      545280  "SET176C.tmp"
set1770.tmp   Apr 13 2008      265728  "SET1770.tmp"
set1774.tmp   Apr 13 2008      285184  "SET1774.tmp"
set177e.tmp   Apr 13 2008       80384  "SET177E.tmp"
set1783.tmp   Apr 13 2008       56320  "SET1783.tmp"
set1785.tmp   Apr 13 2008     1082368  "SET1785.tmp"
set1786.tmp   Apr 13 2008      246272  "SET1786.tmp"
set1787.tmp   Apr 13 2008       23040  "SET1787.tmp"
set1793.tmp   Apr 13 2008      138752  "SET1793.tmp"
set1798.tmp   Apr 13 2008      367616  "SET1798.tmp"
set179e.tmp   Apr 13 2008       14336  "SET179E.tmp"
set17ae.tmp   Apr 13 2008       45568  "SET17AE.tmp"
set17af.tmp   Apr 13 2008      147968  "SET17AF.tmp"
set17b4.tmp   Apr 13 2008       23552  "SET17B4.tmp"
set17cd.tmp   Apr 13 2008      282624  "SET17CD.tmp"
set17d0.tmp   Apr 13 2008       27136  "SET17D0.tmp"
set17d1.tmp   Apr 13 2008      279552  "SET17D1.tmp"
set17d4.tmp   Apr 13 2008        8704  "SET17D4.tmp"
set17dc.tmp   Apr 13 2008       25088  "SET17DC.tmp"
set17e3.tmp   Apr 13 2008       15360  "SET17E3.tmp"
set17e4.tmp   Apr 13 2008        6144  "SET17E4.tmp"
set17e5.tmp   Apr 13 2008      326656  "SET17E5.tmp"
set17e7.tmp   Apr 13 2008      101888  "SET17E7.tmp"
set17e8.tmp   Apr 13 2008      512512  "SET17E8.tmp"
set17e9.tmp   Apr 13 2008       62464  "SET17E9.tmp"
set17ea.tmp   Apr 13 2008       64512  "SET17EA.tmp"
set17ec.tmp   Apr 13 2008       33280  "SET17EC.tmp"
set17ee.tmp   Apr 13 2008      599040  "SET17EE.tmp"
set17ef.tmp   Apr 13 2008      163840  "SET17EF.tmp"
set17f1.tmp   Apr 13 2008       27648  "SET17F1.tmp"
set17f4.tmp   Apr 13 2008     1267200  "SET17F4.tmp"
set17f6.tmp   Apr 13 2008      792064  "SET17F6.tmp"
set17fb.tmp   Apr 13 2008       60416  "SET17FB.tmp"
set17fc.tmp   Apr 13 2008       47104  "SET17FC.tmp"
set1804.tmp   Apr 13 2008       58368  "SET1804.tmp"
set180b.tmp   Apr 13 2008      498688  "SET180B.tmp"
set1812.tmp   Apr 13 2008       16896  "SET1812.tmp"
set1815.tmp   Apr 13 2008      194560  "SET1815.tmp"
set1818.tmp   Apr 13 2008      625664  "SET1818.tmp"
set181a.tmp   Apr 13 2008      226304  "SET181A.tmp"
set181e.tmp   Apr 13 2008       60416  "SET181E.tmp"
set1821.tmp   Apr 13 2008     1025024  "SET1821.tmp"
set1822.tmp   Apr 13 2008       77824  "SET1822.tmp"
set1826.tmp   Apr 13 2008       29184  "SET1826.tmp"
set1827.tmp   Apr 13 2008       52736  "SET1827.tmp"
set182b.tmp   Apr 13 2008       62464  "SET182B.tmp"
set182c.tmp   Apr 13 2008       42496  "SET182C.tmp"
set182f.tmp   Apr 13 2008      285696  "SET182F.tmp"
set1831.tmp   Apr 13 2008       58880  "SET1831.tmp"
set1836.tmp   Apr 13 2008      125952  "SET1836.tmp"
set1839.tmp   Apr 13 2008       44544  "SET1839.tmp"
set183d.tmp   Apr 13 2008      143360  "SET183D.tmp"
set183f.tmp   Apr 13 2008       98304  "SET183F.tmp"
set1841.tmp   Apr 13 2008      193536  "SET1841.tmp"
set19e0.tmp   Apr 13 2008      471552  "SET19E0.tmp"
set19e6.tmp   Apr 13 2008       95744  "SET19E6.tmp"
set25eb.tmp   Apr 13 2008      121856  "SET25EB.tmp"
set25ec.tmp   Apr 13 2008        6656  "SET25EC.tmp"
set25ed.tmp   Apr 13 2008      108032  "SET25ED.tmp"
set25ef.tmp   Apr 13 2008       80896  "SET25EF.tmp"
set25f4.tmp   Apr 13 2008      354304  "SET25F4.tmp"
set25f8.tmp   Apr 13 2008       15872  "SET25F8.tmp"
set25ff.tmp   Apr 13 2008       75776  "SET25FF.tmp"
set2626.tmp   Apr 13 2008      177152  "SET2626.tmp"
set2649.tmp   Apr 13 2008       24576  "SET2649.tmp"
set266d.tmp   Apr 13 2008       30208  "SET266D.tmp"
set266e.tmp   Apr 13 2008      110592  "SET266E.tmp"
set294.tmp    Apr 13 2008      483840  "SET294.tmp"
set295.tmp    Apr 13 2008       52736  "SET295.tmp"
set296.tmp    Apr 13 2008      383488  "SET296.tmp"
set297.tmp    Apr 13 2008       18432  "SET297.tmp"
set299.tmp    Apr 13 2008       22528  "SET299.tmp"
set29b.tmp    Apr 13 2008       19456  "SET29B.tmp"
set29e.tmp    Apr 13 2008        8192  "SET29E.tmp"
set2a3.tmp    Apr 13 2008       19968  "SET2A3.tmp"
set2a4.tmp    Apr 13 2008       82432  "SET2A4.tmp"
set2a7.tmp    Apr 13 2008      264192  "SET2A7.tmp"
set2ac.tmp    Apr 13 2008        5632  "SET2AC.tmp"
set2ad.tmp    Apr 13 2008       92672  "SET2AD.tmp"
set2ae.tmp    Apr 13 2008      172032  "SET2AE.tmp"
set2b1.tmp    Apr 13 2008      176640  "SET2B1.tmp"
set2b2.tmp    Apr 13 2008       53760  "SET2B2.tmp"
set2b3.tmp    Apr 13 2008      293376  "SET2B3.tmp"
set2b5.tmp    Apr 13 2008       99328  "SET2B5.tmp"
set2b6.tmp    Apr 13 2008       16896  "SET2B6.tmp"
set2b9.tmp    Apr 13 2008      176128  "SET2B9.tmp"
set2ba.tmp    Apr 13 2008      507904  "SET2BA.tmp"
set2bb.tmp    Apr 13 2008       32256  "SET2BB.tmp"
set2c1.tmp    Apr 13 2008      333824  "SET2C1.tmp"
set2c8.tmp    Apr 13 2008       68096  "SET2C8.tmp"
set2c9.tmp    Apr 13 2008       23552  "SET2C9.tmp"
set2ca.tmp    Apr 13 2008       49152  "SET2CA.tmp"
set2cd.tmp    Apr 13 2008      175104  "SET2CD.tmp"
set2cf.tmp    Apr 13 2008      430592  "SET2CF.tmp"
set2d1.tmp    Apr 13 2008       18944  "SET2D1.tmp"
set2d8.tmp    Apr 13 2008      218624  "SET2D8.tmp"
set2da.tmp    Apr 13 2008      406016  "SET2DA.tmp"
set2db.tmp    Apr 13 2008      727040  "SET2DB.tmp"
set2dc.tmp    Apr 13 2008      578560  "SET2DC.tmp"
set2de.tmp    Apr 13 2008       16896  "SET2DE.tmp"
set2e3.tmp    Apr 13 2008      133632  "SET2E3.tmp"
set2e4.tmp    Apr 13 2008       13824  "SET2E4.tmp"
set2e5.tmp    Apr 13 2008       74240  "SET2E5.tmp"
set2e6.tmp    Apr 13 2008      206848  "SET2E6.tmp"
set2e9.tmp    Apr 13 2008      123392  "SET2E9.tmp"
set2ef.tmp    Apr 13 2008       90112  "SET2EF.tmp"
set2f5.tmp    Apr 13 2008      385536  "SET2F5.tmp"
set2f6.tmp    Apr 13 2008      295424  "SET2F6.tmp"
set2f9.tmp    Apr 13 2008       45568  "SET2F9.tmp"
set2fc.tmp    Apr 13 2008      249856  "SET2FC.tmp"
set2fd.tmp    Apr 13 2008      181760  "SET2FD.tmp"
set304.tmp    Apr 13 2008      713216  "SET304.tmp"
set305.tmp    Apr 13 2008       14336  "SET305.tmp"
set308.tmp    Apr 13 2008      121856  "SET308.tmp"
set315.tmp    Apr 13 2008       71680  "SET315.tmp"
set316.tmp    Apr 13 2008       34816  "SET316.tmp"
set319.tmp    Apr 13 2008      171008  "SET319.tmp"
set31b.tmp    Apr 13 2008       67584  "SET31B.tmp"
set31c.tmp    Apr 13 2008      180800  "SET31C.tmp"
set31d.tmp    Apr 13 2008       90112  "SET31D.tmp"
set31e.tmp    Apr 13 2008      442368  "SET31E.tmp"
set31f.tmp    Apr 13 2008       57856  "SET31F.tmp"
set320.tmp    Apr 13 2008       75264  "SET320.tmp"
set330.tmp    Apr 13 2008      135168  "SET330.tmp"
set335.tmp    Apr 13 2008      474112  "SET335.tmp"
set337.tmp    Apr 13 2008       65024  "SET337.tmp"
set339.tmp    Apr 13 2008       25088  "SET339.tmp"
set33a.tmp    Apr 13 2008     8461312  "SET33A.tmp"
set33b.tmp    Apr 13 2008     1499136  "SET33B.tmp"
set33e.tmp    Apr 13 2008      140288  "SET33E.tmp"
set33f.tmp    Apr 13 2008        5120  "SET33F.tmp"
set343.tmp    Apr 13 2008        7168  "SET343.tmp"
set344.tmp    Apr 13 2008       39424  "SET344.tmp"
set347.tmp    Apr 13 2008        5632  "SET347.tmp"
set348.tmp    Apr 13 2008       56320  "SET348.tmp"
set349.tmp    Apr 13 2008       18944  "SET349.tmp"
set34f.tmp    Apr 13 2008      192512  "SET34F.tmp"
set350.tmp    Apr 13 2008      314880  "SET350.tmp"
set351.tmp    Apr 13 2008      181248  "SET351.tmp"
set358.tmp    Apr 13 2008       33280  "SET358.tmp"
set359.tmp    Apr 13 2008       44032  "SET359.tmp"
set35f.tmp    Apr 13 2008      208384  "SET35F.tmp"
set360.tmp    Apr 13 2008      399360  "SET360.tmp"
set361.tmp    Apr 13 2008      584704  "SET361.tmp"
set363.tmp    Apr 13 2008      433664  "SET363.tmp"
set365.tmp    Apr 13 2008       58880  "SET365.tmp"
set36a.tmp    Apr 13 2008       59904  "SET36A.tmp"
set36b.tmp    Apr 13 2008       49664  "SET36B.tmp"
set377.tmp    Apr 13 2008      150016  "SET377.tmp"
set379.tmp    Apr 13 2008      210944  "SET379.tmp"
set37b.tmp    Apr 13 2008      186368  "SET37B.tmp"
set37c.tmp    Apr 13 2008       79872  "SET37C.tmp"
set37d.tmp    Apr 13 2008        7680  "SET37D.tmp"
set383.tmp    Apr 13 2008       18944  "SET383.tmp"
set389.tmp    Apr 13 2008       34304  "SET389.tmp"
set38b.tmp    Apr 13 2008       96768  "SET38B.tmp"
set38c.tmp    Apr 13 2008       23040  "SET38C.tmp"
set38f.tmp    Apr 13 2008       27648  "SET38F.tmp"
set391.tmp    Apr 13 2008       17408  "SET391.tmp"
set394.tmp    Apr 13 2008       15360  "SET394.tmp"
set3a7.tmp    Apr 13 2008      122880  "SET3A7.tmp"
set3a8.tmp    Apr 13 2008       74752  "SET3A8.tmp"
set3a9.tmp    Apr 13 2008     1287168  "SET3A9.tmp"
set3b0.tmp    Apr 13 2008      147456  "SET3B0.tmp"
set3b1.tmp    Apr 13 2008       12288  "SET3B1.tmp"
set3b4.tmp    Apr 13 2008       94208  "SET3B4.tmp"
set3b5.tmp    Apr 13 2008       65536  "SET3B5.tmp"
set3b6.tmp    Apr 13 2008       65536  "SET3B6.tmp"
set3b7.tmp    Apr 13 2008      106496  "SET3B7.tmp"
set3b8.tmp    Apr 13 2008       32768  "SET3B8.tmp"
set3ba.tmp    Apr 13 2008       69632  "SET3BA.tmp"
set3bb.tmp    Apr 13 2008      135168  "SET3BB.tmp"
set3bc.tmp    Apr 13 2008       24576  "SET3BC.tmp"
set3be.tmp    Apr 13 2008       16384  "SET3BE.tmp"
set3bf.tmp    Apr 13 2008      249856  "SET3BF.tmp"
set3c0.tmp    Apr 13 2008       67584  "SET3C0.tmp"
set3c2.tmp    Apr 13 2008      270336  "SET3C2.tmp"
set3c5.tmp    Apr 13 2008      143360  "SET3C5.tmp"
set3ca.tmp    Apr 13 2008      118784  "SET3CA.tmp"
set3cb.tmp    Apr 13 2008       44032  "SET3CB.tmp"
set3cc.tmp    Apr 13 2008       67072  "SET3CC.tmp"
set3d1.tmp    Apr 13 2008      247808  "SET3D1.tmp"
set3d2.tmp    Apr 13 2008      245760  "SET3D2.tmp"
set3d3.tmp    Apr 13 2008       80896  "SET3D3.tmp"
set3d5.tmp    Apr 13 2008     1703936  "SET3D5.tmp"
set3d8.tmp    Apr 13 2008       11776  "SET3D8.tmp"
set3da.tmp    Apr 13 2008      198144  "SET3DA.tmp"
set3db.tmp    Apr 13 2008      407040  "SET3DB.tmp"
set3de.tmp    Apr 13 2008      622592  "SET3DE.tmp"
set3df.tmp    Apr 13 2008      337408  "SET3DF.tmp"
set3e2.tmp    Apr 13 2008       56832  "SET3E2.tmp"
set3e5.tmp    Apr 13 2008       17920  "SET3E5.tmp"
set3e6.tmp    Apr 13 2008       36352  "SET3E6.tmp"
set3e8.tmp    Apr 13 2008       90624  "SET3E8.tmp"
set3ed.tmp    Apr 13 2008       66560  "SET3ED.tmp"
set3ef.tmp    Apr 13 2008     1104896  "SET3EF.tmp"
set3f2.tmp    Apr 13 2008      245248  "SET3F2.tmp"
set3f8.tmp    Apr 13 2008      343040  "SET3F8.tmp"
set3f9.tmp    Apr 13 2008      413696  "SET3F9.tmp"
set3fa.tmp    Apr 13 2008       57344  "SET3FA.tmp"
set3fc.tmp    Apr 13 2008      195072  "SET3FC.tmp"
set3fd.tmp    Apr 13 2008      116224  "SET3FD.tmp"
set403.tmp    Apr 13 2008       48128  "SET403.tmp"
set404.tmp    Apr 13 2008       29696  "SET404.tmp"
set406.tmp    Apr 13 2008      143360  "SET406.tmp"
set407.tmp    Apr 13 2008       20480  "SET407.tmp"
set40d.tmp    Apr 13 2008       15360  "SET40D.tmp"
set40f.tmp    Apr 13 2008      884736  "SET40F.tmp"
set410.tmp    Apr 13 2008        4608  "SET410.tmp"
set411.tmp    Apr 13 2008      271360  "SET411.tmp"
set412.tmp    Apr 13 2008       78848  "SET412.tmp"
set414.tmp    Apr 13 2008        6656  "SET414.tmp"
set416.tmp    Apr 13 2008     2843136  "SET416.tmp"
set419.tmp    Apr 13 2008      997376  "SET419.tmp"
set423.tmp    Apr 13 2008      151552  "SET423.tmp"
set425.tmp    Apr 13 2008      297984  "SET425.tmp"
set426.tmp    Apr 13 2008       36864  "SET426.tmp"
set427.tmp    Apr 13 2008       12288  "SET427.tmp"
set429.tmp    Apr 13 2008       73728  "SET429.tmp"
set42b.tmp    Apr 13 2008       57344  "SET42B.tmp"
set430.tmp    Apr 13 2008       71680  "SET430.tmp"
set432.tmp    Apr 13 2008       87040  "SET432.tmp"
set433.tmp    Apr 13 2008       59904  "SET433.tmp"
set439.tmp    Apr 13 2008      153600  "SET439.tmp"
set444.tmp    Apr 13 2008      586240  "SET444.tmp"
set448.tmp    Apr 13 2008       18944  "SET448.tmp"
set449.tmp    Apr 13 2008       22528  "SET449.tmp"
set44a.tmp    Apr 13 2008     1028096  "SET44A.tmp"
set44d.tmp    Apr 13 2008      118272  "SET44D.tmp"
set455.tmp    Apr 13 2008       13312  "SET455.tmp"
set457.tmp    Apr 13 2008       22016  "SET457.tmp"
set45c.tmp    Apr 13 2008       97280  "SET45C.tmp"
set45e.tmp    Apr 13 2008       19968  "SET45E.tmp"
set460.tmp    Apr 14 2008      423936  "SET460.tmp"
set467.tmp    Apr 13 2008       33280  "SET467.tmp"
set469.tmp    Apr 13 2008      299520  "SET469.tmp"
set47d.tmp    Apr 13 2008       28160  "SET47D.tmp"
set485.tmp    Apr 13 2008      183808  "SET485.tmp"
set489.tmp    Apr 13 2008      331264  "SET489.tmp"
set48b.tmp    Apr 13 2008       94720  "SET48B.tmp"
set48d.tmp    Apr 13 2008       17408  "SET48D.tmp"
set493.tmp    Apr 13 2008       75264  "SET493.tmp"
set497.tmp    Apr 13 2008      110080  "SET497.tmp"
set4a8.tmp    Apr 13 2008       11264  "SET4A8.tmp"
set4ae.tmp    Apr 13 2008      344064  "SET4AE.tmp"
set4b0.tmp    Apr 13 2008       21504  "SET4B0.tmp"
set4b1.tmp    Apr 13 2008       29696  "SET4B1.tmp"
set4b2.tmp    Apr 13 2008       20992  "SET4B2.tmp"
set4b8.tmp    Apr 13 2008      265728  "SET4B8.tmp"
set4bc.tmp    Apr 13 2008      285184  "SET4BC.tmp"
set4cb.tmp    Apr 13 2008       56320  "SET4CB.tmp"
set4cd.tmp    Apr 13 2008     1082368  "SET4CD.tmp"
set4ce.tmp    Apr 13 2008      246272  "SET4CE.tmp"
set4cf.tmp    Apr 13 2008       23040  "SET4CF.tmp"
set4db.tmp    Apr 13 2008      138752  "SET4DB.tmp"
set4e0.tmp    Apr 13 2008      367616  "SET4E0.tmp"
set4e6.tmp    Apr 13 2008       14336  "SET4E6.tmp"
set4f6.tmp    Apr 13 2008       45568  "SET4F6.tmp"
set4f7.tmp    Apr 13 2008      147968  "SET4F7.tmp"
set4fc.tmp    Apr 13 2008       23552  "SET4FC.tmp"
set515.tmp    Apr 13 2008      282624  "SET515.tmp"
set519.tmp    Apr 13 2008      279552  "SET519.tmp"
set51c.tmp    Apr 13 2008        8704  "SET51C.tmp"
set524.tmp    Apr 13 2008       25088  "SET524.tmp"
set52b.tmp    Apr 13 2008       15360  "SET52B.tmp"
set52c.tmp    Apr 13 2008        6144  "SET52C.tmp"
set52d.tmp    Apr 13 2008      326656  "SET52D.tmp"
set52f.tmp    Apr 13 2008      101888  "SET52F.tmp"
set530.tmp    Apr 13 2008      512512  "SET530.tmp"
set531.tmp    Apr 13 2008       62464  "SET531.tmp"
set532.tmp    Apr 13 2008       64512  "SET532.tmp"
set534.tmp    Apr 13 2008       33280  "SET534.tmp"
set536.tmp    Apr 13 2008      599040  "SET536.tmp"
set537.tmp    Apr 13 2008      163840  "SET537.tmp"
set539.tmp    Apr 13 2008       27648  "SET539.tmp"
set53c.tmp    Apr 13 2008     1267200  "SET53C.tmp"
set53e.tmp    Apr 13 2008      792064  "SET53E.tmp"
set543.tmp    Apr 13 2008       60416  "SET543.tmp"
set544.tmp    Apr 13 2008       47104  "SET544.tmp"
set54c.tmp    Apr 13 2008       58368  "SET54C.tmp"
set553.tmp    Apr 13 2008      498688  "SET553.tmp"
set55a.tmp    Apr 13 2008       16896  "SET55A.tmp"
set55d.tmp    Apr 13 2008      194560  "SET55D.tmp"
set560.tmp    Apr 13 2008      625664  "SET560.tmp"
set562.tmp    Apr 13 2008      226304  "SET562.tmp"
set566.tmp    Apr 13 2008       60416  "SET566.tmp"
set569.tmp    Apr 13 2008     1025024  "SET569.tmp"
set56a.tmp    Apr 13 2008       77824  "SET56A.tmp"
set56e.tmp    Apr 13 2008       29184  "SET56E.tmp"
set56f.tmp    Apr 13 2008       52736  "SET56F.tmp"
set573.tmp    Apr 13 2008       62464  "SET573.tmp"
set574.tmp    Apr 13 2008       42496  "SET574.tmp"
set577.tmp    Apr 13 2008      285696  "SET577.tmp"
set579.tmp    Apr 13 2008       58880  "SET579.tmp"
set57e.tmp    Apr 13 2008      125952  "SET57E.tmp"
set581.tmp    Apr 13 2008       44544  "SET581.tmp"
set585.tmp    Apr 13 2008      143360  "SET585.tmp"
set587.tmp    Apr 13 2008       98304  "SET587.tmp"
set589.tmp    Apr 13 2008      193536  "SET589.tmp"
set728.tmp    Apr 13 2008      471552  "SET728.tmp"
    Your logs are clean but you need to get an antivirus program installed. This is covered in the link below.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combo-fix folder from combofix.
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. Go to add/remove programs and uninstall HijackThis.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Aug 3, 2008
    #5
  6. paths

    paths Private E-2

    Rgr, tmp files have been removed. I was/am using the antivirus on Spydoctor. Would you recommend using Malwarebytes over it?

    I appreciate all the help and quick response you have provided! You guys are the best.
     
    paths, Aug 3, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Malwarebytes is not an antivirus. It is an antispyware type tool and the free program provides no protection. Do you mean you have Spyware Doctor antiSpyware and it includes and antivrus program? PC Tools does offer an antivirus. They even have a free one as listed in the link I gave you. Is your copy of Spyware Doctor a paid version?
     
    chaslang, Aug 3, 2008
    #7
  8. paths

    paths Private E-2

    Aye, it is, and it does include a antivirus engine but only if you pay for the full version.
     
    paths, Aug 3, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So then you need an antivirus program unless you have purchased the full version.
     
    chaslang, Aug 3, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds