oufddh.exe - avast don't detect this virus.

All my drives have this exe and i can´t delete it, it was able to prevent me from view my hidden folders so to not be detected, but i found that a free program called ExplorerXP can see it, avast can’t seam to detect this menace so i used the online avast scanner to scan the exe, it said it was clean :o, i them used the free online karpesky and it said it was infected by

Scanned file: oufddh.exe - Infected
oufddh.exe - infected by Trojan-PSW.Win32.OnLineGames.ros
. How can i delete this bugger.

All your drives? How many would that be and what type of drives are they?

Let’s start with disabling auotruns.

Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Then

Download “Clean Autoruns”:From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those.

All your drives? How many would that be and what type of drives are they?

Thanks for the reply, about the drives they are five and they are HDD drives. :slight_smile:

I already have TweakUI installed i will do what you say and them post here again. Thanks

Ok see the attachment.

part2

Hi

You said you had five harddrives. I see drive letters for only four. C:, E:, H:, and L:. Where you unable to attach one?

The logs show several autorun infections, If you are able to attach the mising drive, without removing one that was attached when you did the previous scan, please do so before running the next scan tool. If you can’t, we will deal with that drive separately.

Let’s see if we can get some of it. Make sure the drives are connected please.

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

You can get hijackthis from here.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Why Sorry for the late reply.

Here is the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:36:47, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programas\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programas\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Programas\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe
C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Programas\Packard Bell Data Secure\PBDataSecure.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\Programas\stickies\stickies.exe
C:\Programas\OpenOffice.org 2.3\program\soffice.exe
C:\Programas\OpenOffice.org 2.3\program\soffice.BIN
C:\Programas\Windows NT\Acessórios\WORDPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Disco_D\windows_software\ramdom.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [CTDVDDET] C:\Programas\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
O4 - HKLM..\Run: [CTSysVol] C:\Programas\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [RCSystem] “C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe” RCSystem * -Startup
O4 - HKLM..\Run: [AudioDrvEmulator] “C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe” -1 AudioDrvEmulator “C:\Programas\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll”
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Programas\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [amd_dc_opt] C:\Programas\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 “EPSON Stylus C64 Series” /O6 “USB001” /M “Stylus C64”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Creative Detector] C:\Programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU..\Run: [Packard Bell Data Secure] C:\Programas\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [DAEMON Tools] “C:\Programas\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKCU..\Run: [AtiTrayTools] “C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe”
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programas\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Stickies.lnk = C:\Programas\stickies\stickies.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programas\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip..{F996AB66-E75B-4247-B19A-7A17F8F7786F}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Programas\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

and the combofix log.

Hmm… I’m not sure how you ended up with an old version of HJT. I just tried the link I gave you and it gives me the newest version 2.0.2. If you had an old version, please delete it and download a new one.

I would say you have attached an infected usb drive to this computer, going by the number of autorun infection that there is evidence of. There are at least 3 more drive letters. O,P and Q,

Please leave your drives connected as they where before. I see you have all five drives present and acounted for, good. It will make this easier.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[b]
C:\Temp\WPDNSE
C:\Temp\k2fvpt.dll
C:\Temp\svg6c.tmp
C:\Temp\plugtmp
C:\Temp\e7sf4.dll
C:\Temp\pdfdownload
C:\Temp~nsu.tmp
C:\Temp\UCDebugger
C:\Temp\asqhbf.dll
C:\Temp{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
C:\Temp\pft5.tmp
C:\Temp\pft3.tmp
C:\oufddh.exe
E:\oufddh.exe
H:\oufddh.exe
L:\oufddh.exe
N:\oufddh.exe
C:\Temp\n8.dll
C:\Temp\whyghu.dll
C:\McRegWizz.exe /s
E:\McRegWizz.exe /s
H:\McRegWizz.exe /s
L:\McRegWizz.exe /s
N:\McRegWizz.exe /s
C:\RavMon.exe
H:\RavMon.exe
E:\RavMon.exe
L:\RavMon.exe
N:\RavMon.exe
C:\fooool.exe /s
E:\fooool.exe /s
H:\fooool.exe /s
L:\fooool.exe /s
C:\fooool.exe /s
E:\Knight.exe /S
H:\Knight.exe /S
L:\Knight.exe /S
N:\Knight.exe /S
C:\copy.exe
E:\copy.exe
H:\copy.exe
L:\copy.exe
N:\copy.exe
C:\Recycled\ctfmon.exe
E:\Recycled\ctfmon.exe
H:\Recycled\ctfmon.exe
L:\Recycled\ctfmon.exe
N:\Recycled\ctfmon.exe
C:\ekugb3.bat
E:\ekugb3.bat
L:\ekugb3.bat
H:\ekugb3.bat
N:\ekugb3.bat
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{35ce2e7c-c44f-11dc-a5e8-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c90ce0bd-7025-11dc-a51e-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a2b59323-70f8-11dc-a51f-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c898d1b7-a27c-11dc-a593-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{379e7a82-db5f-11dc-a649-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{178d63a8-bd2c-11dc-a5d5-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{42dd107f-9d10-11dc-a587-0018f3c7fea4}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9b95f6ff-afe7-11dc-a5b3-0018f3c7fea4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{44aedaa4-6b64-11da-b3c2-8823223bd43e}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6e702fbc-57fd-11db-91b5-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8604638a-a42f-11dc-a598-0018f3c7fea4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9334b02b-8feb-11dc-a566-0018f3c7fea4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9962925a-ad82-11dc-a5b0-0018f3c7fea4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9e955e4e-a8bc-11db-a727-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e5957814-e224-4f7e-a864-886c4e8119e0}

[/b]

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Sorry i didn’t downloaded from the link that you gave me i already had one so i used it, but i will do what you said and download the new HJT version.

About the other drive letters, i have a card reader so this drives I: Q: M: P: are not HDD drives and O: is a virtual drive.

I will make a new HJT scan and use the OTMoveIt2 and post the results. cheers

edit:

OTMoveIT2 stop responding (i don’t know why, he just stoped and when i clicked on it a “not responding” message was displayed) so i needed to kill it and start anew, so some of the “not found” were founded and moved successfully in the first time, like the oufddh.exe was found and moved, on the second try he was not found as you can see.

Here is the result of the secund try.

[Custom Input] < C:\Temp\WPDNSE > File/Folder C:\Temp\WPDNSE not found. < C:\Temp\k2fvpt.dll > File/Folder C:\Temp\k2fvpt.dll not found. < C:\Temp\svg6c.tmp > File/Folder C:\Temp\svg6c.tmp not found. < C:\Temp\plugtmp > File/Folder C:\Temp\plugtmp not found. < C:\Temp\e7sf4.dll > File/Folder C:\Temp\e7sf4.dll not found. < C:\Temp\pdfdownload > File/Folder C:\Temp\pdfdownload not found. < C:\Temp\~nsu.tmp > File/Folder C:\Temp\~nsu.tmp not found. < C:\Temp\UCDebugger > File/Folder C:\Temp\UCDebugger not found. < C:\Temp\asqhbf.dll > File/Folder C:\Temp\asqhbf.dll not found. < C:\Temp\{4B9BB601-13E9-4042-A3BC-E7955BF4A98F} > File/Folder C:\Temp\{4B9BB601-13E9-4042-A3BC-E7955BF4A98F} not found. < C:\Temp\pft5.tmp > File/Folder C:\Temp\pft5.tmp not found. < C:\Temp\pft3.tmp > File/Folder C:\Temp\pft3.tmp not found. < C:\oufddh.exe > File/Folder C:\oufddh.exe not found. < E:\oufddh.exe > File/Folder E:\oufddh.exe not found. < H:\oufddh.exe > File/Folder H:\oufddh.exe not found. < L:\oufddh.exe > File/Folder L:\oufddh.exe not found. < N:\oufddh.exe > File/Folder N:\oufddh.exe not found. < C:\Temp\n8.dll > File/Folder C:\Temp\n8.dll not found. < C:\Temp\whyghu.dll > File/Folder C:\Temp\whyghu.dll not found. < C:\McRegWizz.exe /s > File/Folder C:\McRegWizz.exe not found. < E:\McRegWizz.exe /s > File/Folder E:\McRegWizz.exe not found. < H:\McRegWizz.exe /s > File/Folder H:\McRegWizz.exe not found. < L:\McRegWizz.exe /s > File/Folder L:\McRegWizz.exe not found. < N:\McRegWizz.exe /s > File/Folder N:\McRegWizz.exe not found. < C:\RavMon.exe > File/Folder C:\RavMon.exe not found. < H:\RavMon.exe > File/Folder H:\RavMon.exe not found. < E:\RavMon.exe > File/Folder E:\RavMon.exe not found. < L:\RavMon.exe > File/Folder L:\RavMon.exe not found. < N:\RavMon.exe > File/Folder N:\RavMon.exe not found. < C:\fooool.exe /s > File/Folder C:\fooool.exe not found. < E:\fooool.exe /s > File/Folder E:\fooool.exe not found. < H:\fooool.exe /s > File/Folder H:\fooool.exe not found. < L:\fooool.exe /s > File/Folder L:\fooool.exe not found. < C:\fooool.exe /s > File/Folder C:\fooool.exe not found. < E:\Knight.exe /S > File/Folder E:\Knight.exe not found. < H:\Knight.exe /S > File/Folder H:\Knight.exe not found. < L:\Knight.exe /S > File/Folder L:\Knight.exe not found. < N:\Knight.exe /S > File/Folder N:\Knight.exe not found. < C:\copy.exe > File/Folder C:\copy.exe not found. < E:\copy.exe > File/Folder E:\copy.exe not found. < H:\copy.exe > File/Folder H:\copy.exe not found. < L:\copy.exe > File/Folder L:\copy.exe not found. < N:\copy.exe > File/Folder N:\copy.exe not found. < C:\Recycled\ctfmon.exe > File/Folder C:\Recycled\ctfmon.exe not found. < E:\Recycled\ctfmon.exe > File/Folder E:\Recycled\ctfmon.exe not found. < H:\Recycled\ctfmon.exe > File/Folder H:\Recycled\ctfmon.exe not found. < L:\Recycled\ctfmon.exe > File/Folder L:\Recycled\ctfmon.exe not found. < N:\Recycled\ctfmon.exe > File/Folder N:\Recycled\ctfmon.exe not found. < C:\ekugb3.bat > File/Folder C:\ekugb3.bat not found. < E:\ekugb3.bat > File/Folder E:\ekugb3.bat not found. < L:\ekugb3.bat > File/Folder L:\ekugb3.bat not found. < H:\ekugb3.bat > File/Folder H:\ekugb3.bat not found. < N:\ekugb3.bat > File/Folder N:\ekugb3.bat not found. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35ce2e7c-c44f-11dc-a5e8-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35ce2e7c-c44f-11dc-a5e8-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c90ce0bd-7025-11dc-a51e-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c90ce0bd-7025-11dc-a51e-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b59323-70f8-11dc-a51f-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b59323-70f8-11dc-a51f-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c898d1b7-a27c-11dc-a593-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c898d1b7-a27c-11dc-a593-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{379e7a82-db5f-11dc-a649-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{379e7a82-db5f-11dc-a649-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{178d63a8-bd2c-11dc-a5d5-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{178d63a8-bd2c-11dc-a5d5-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42dd107f-9d10-11dc-a587-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42dd107f-9d10-11dc-a587-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b95f6ff-afe7-11dc-a5b3-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b95f6ff-afe7-11dc-a5b3-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44aedaa4-6b64-11da-b3c2-8823223bd43e} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44aedaa4-6b64-11da-b3c2-8823223bd43e}\\ deleted successfully. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6e702fbc-57fd-11db-91b5-806d6172696f} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6e702fbc-57fd-11db-91b5-806d6172696f}\\ deleted successfully. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8604638a-a42f-11dc-a598-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8604638a-a42f-11dc-a598-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9334b02b-8feb-11dc-a566-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9334b02b-8feb-11dc-a566-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9962925a-ad82-11dc-a5b0-0018f3c7fea4} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9962925a-ad82-11dc-a5b0-0018f3c7fea4}\\ not found. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e955e4e-a8bc-11db-a727-806d6172696f} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e955e4e-a8bc-11db-a727-806d6172696f}\\ deleted successfully. < HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e5957814-e224-4f7e-a864-886c4e8119e0} > Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e5957814-e224-4f7e-a864-886c4e8119e0}\\ deleted successfully.

OTMoveIt2 v1.0.20 log created on 03042008_010721

and the new HJK log is on the attachment.

The older version tends to show files missing, when in fact they are not.

I don’t supose there is another log at this location?

C:_OTMoveIt\MovedFiles\

with a series of numbers, that represent the the date and time.

You will have to be my eyes in this case. You saw the files being deleted?

O,P and Q had infected mountpoints associated with them. If you have disabled autoruns on all drives (except your cd/dvd), you should be able to check your cards for an autorun.inf or any files in the list and delete them. Cards are storage devices. When looking at the file list, disregard the /s, it is a switch, not part of the file name.

You will have to set your folder options like this.

At the top of windows explorer, click tools, folder options, click the
view tab

check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box