Jump to content

Need help. please 2nd request


Recommended Posts

I have tried almost every suggestion here and the bottom line is I got the computer running a bit better by using the boot disk but everything else I run starts to run and disappears. I am getting a PC antispyware virus message and get redirected. I can produce no log since hijack this starts up and then vanishes. Same with Dr WEb as well as Malware bytes. Any help you can give would be great. I follwed all the tutorials and nothing shows up running in the backround.

Thanks Rapp

Link to post
Share on other sites

Hi Rapp , Welcome to Malwarebytes ;)

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi Rapp , Welcome to Malwarebytes ;)

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Thanks for getting back. I dowloaded Combo as per instructions and like all other programs I have tried, it starts to run and then just dissapears. what is the next step?

Link to post
Share on other sites

Thanks for getting back. I dowloaded Combo as per instructions and like all other programs I have tried, it starts to run and then just dissapears. what is the next step?

Thanks for getting back. I downloaded Combo as per instructions and like all other programs I have tried, it starts to run and then just dissapears. what is the next step?

Link to post
Share on other sites

Lets try this:

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

Lets try this:

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Same issue. Scan starts to run then shuts down like the others. Seems like a program is zapping these things when they run.

Link to post
Share on other sites

Hi rappbob,

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Hi rappbob,

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Here is the log

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\scecli.dll" not found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

both malware and combo still will not run. Thanks again.

Rapp

Link to post
Share on other sites

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: sr.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: subscrpt.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: system.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: tmplprov.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: trnsprov.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: tscfgwmi.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: updprov.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wbemcons.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: whqlprov.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmi.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipcima.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipdskq.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipicmp.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipiprt.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipjobj.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipsess.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmitimep.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wscenter.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: cimwin32.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: cliegaliases.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: dsprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: fconprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: fevprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: krnlprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: licwmi.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: msi.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: ncprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: ntevt.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: policman.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: regevent.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: rsop.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: scrcons.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: secrcw32.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: smtpcons.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: tmplprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: trnsprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: tscfgwmi.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: updprov.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wbemcons.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmi.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipcima.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipdskq.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipicmp.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipiprt.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipjobj.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmipsess.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: wmitimep.mfl

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: cimwin32.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: cli.mof

MOF file has been successfully parsed

Storing data in the repository...

Done!

Microsoft ® 32-bit MOF Compiler Version 5.1.2600.5512

Copyright © Microsoft Corp. 1997-2001. All rights reserved.

Parsing MOF file: cliegaliases.mof

MOF file has been successfully parsed

Storing data in the repository...

Link to post
Share on other sites

Hi rappbob, Please try this again:

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Hi rappbob, Please try this again:

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\scecli.dll" not found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

This is the log I got on reeboot. The other programs still wont run Thanks

Rapp

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\scecli.dll" not found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

The other programs still wont run ugh

Link to post
Share on other sites

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

Here you go. I hope it helps

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-12 09:27:47 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 20:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 05:41:05 227840 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 12:39:29 227840 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-12 09:34:08 218112 C:\WINDOWS\$NtUninstallKB956572_0$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

Finished!

Link to post
Share on other sites

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

rmdir "C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}"

Exit

3. Save the file as "Remove.bat". Make sure to save it with the quotation marks.

4. Double click Remove.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

3. Save the file as "Remove.bat". Make sure to save it with the quotation marks.

4. Double click Remove.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Combo log

ComboFix 09-08-18.04 - trader 08/19/2009 17:50.2.2 - NTFSx86

Running from: c:\documents and settings\trader\Desktop\Combo-Fix..exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BaseWN.3-2-0.ddr.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJBase_2-4-1_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJNet_2-4-0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJXSLT_1_0_ddr.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\CustomActiveX.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\libeay32_1-1-0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Marshaller.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\mfc42.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\msvcrt.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\backAtoB.exe.XXX

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cleanup.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cmuninst.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cpicon.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\delsbc.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\BJAXSecurityManager.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\BJInstaller.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\RGWInterfaces_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\RGWLib_2-0-0_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\TrustInhouse.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\EnetChk.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRD.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRR2.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\icons.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\InitSST.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\LnchSST.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\removeicons.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\ActiveUtils.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\BJAXSecurityManager.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\BJInstaller.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\chorus.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\csshim.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\EnCmnSvr.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\EniCommon.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\enisnmp.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\InstallHelper.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\McciCPEX.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\mccupdate.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\MCCWrapper_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis4.sys

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis5.sys

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Prox.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWInterfaces_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWLib_2-0-0_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\W32n50.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\closeAll.exe.XXX

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\CustomUninstall.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\EndProcess.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\KillWindow2.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\mad.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCCleanup.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCDevice.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCDNSHLP_1-0-0_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCEmbInstall.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\McciCPEX_2_DSR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCSilent.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCUninst.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MotiveBrowser.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\McciControlInstaller_DSR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\McciCoreInstaller_DSR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\NoRun.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\psapi.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\resource.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\StartAsync.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Uninstall.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\UpdateSC.EXE

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\util.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\vdmdbg.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\ssleay32_1-1-0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\stlport_4_0_0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\wffDDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WinUtils3_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\AddDictionaryInt.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicInt.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicStr.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CopyFiles.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CoreObjects.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CPUSpeed.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\DictionaryWindow.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\DirAndFilePaths.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExitHostApp.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtEvntMngr.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtractListEntry.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtractZipFile.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtrnlEvntLstnr.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\FileReadWrite.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GetPhoneBookEntries.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GlobalDicAndRepEnt.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GlobalDicCompare.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HTMLDisplayProps.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HtmlFormInput.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HttpPost.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IniFileReaderWriter.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsAdministrator.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsIEInstalled.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsNetscapeInstalled.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\LaunchProgram.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Logger.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\OsDetect.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\PrintAscii.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Profile.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RamSize.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RebootSystem.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RegManipulation.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Report.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SaveReport.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ScriptRunner.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SglDisplay.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SimpleHostApp.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SleepNode.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringFormat.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringListPatMatch.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringReplace.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SubstringExtraction.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SysDriveSpace.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\TcpIpConnectionTest.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\WaitOnWindow.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\WindowClicker.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\XmlParserNode.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\XmlToString.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Zipit.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\AgentKiller.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\curl.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DeleteAll.EXE

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DeleteLegacyFolders.EXE

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DLFile.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\FixXPDun.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\GetVersion.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\LaunchDSLIcon.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\MotGuidGen.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\RecoverFromReboot.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\RemoveMe.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\xerces-c_1_40_0_DDR.dll

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\trader\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk

c:\documents and settings\trader\Application Data\wiaserva.log

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BaseWN.3-2-0.ddr.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJBase_2-4-1_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJNet_2-4-0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJXSLT_1_0_ddr.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\CustomActiveX.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\libeay32_1-1-0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Marshaller.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\mfc42.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\msvcrt.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\backAtoB.exe.XXX

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cleanup.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cmuninst.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cpicon.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\delsbc.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\BJAXSecurityManager.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\BJInstaller.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\RGWInterfaces_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\RGWLib_2-0-0_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\TrustInhouse.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\EnetChk.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRD.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRR2.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\icons.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\InitSST.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\LnchSST.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\removeicons.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\ActiveUtils.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\BJAXSecurityManager.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\BJInstaller.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\chorus.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\csshim.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\EnCmnSvr.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\EniCommon.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\enisnmp.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\InstallHelper.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\McciCPEX.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\mccupdate.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\MCCWrapper_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis4.sys

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis5.sys

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Prox.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWInterfaces_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWLib_2-0-0_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\W32n50.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\closeAll.exe.XXX

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\CustomUninstall.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\EndProcess.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\KillWindow2.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\mad.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCCleanup.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCDevice.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCDNSHLP_1-0-0_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCEmbInstall.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\McciCPEX_2_DSR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCSilent.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCUninst.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MotiveBrowser.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\McciControlInstaller_DSR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\McciCoreInstaller_DSR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\NoRun.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\psapi.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\resource.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\StartAsync.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Uninstall.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\UpdateSC.EXE

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\util.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\vdmdbg.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\ssleay32_1-1-0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\stlport_4_0_0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\wffDDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WinUtils3_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\AddDictionaryInt.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicInt.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicStr.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CopyFiles.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CoreObjects.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CPUSpeed.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\DictionaryWindow.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\DirAndFilePaths.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExitHostApp.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtEvntMngr.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtractListEntry.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtractZipFile.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtrnlEvntLstnr.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\FileReadWrite.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GetPhoneBookEntries.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GlobalDicAndRepEnt.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GlobalDicCompare.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HTMLDisplayProps.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HtmlFormInput.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HttpPost.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IniFileReaderWriter.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsAdministrator.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsIEInstalled.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsNetscapeInstalled.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\LaunchProgram.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Logger.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\OsDetect.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\PrintAscii.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Profile.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RamSize.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RebootSystem.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RegManipulation.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Report.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SaveReport.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ScriptRunner.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SglDisplay.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SimpleHostApp.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SleepNode.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringFormat.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringListPatMatch.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringReplace.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SubstringExtraction.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SysDriveSpace.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\TcpIpConnectionTest.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\WaitOnWindow.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\WindowClicker.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\XmlParserNode.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\XmlToString.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Zipit.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\AgentKiller.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\curl.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DeleteAll.EXE

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DeleteLegacyFolders.EXE

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DLFile.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\FixXPDun.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\GetVersion.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\LaunchDSLIcon.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\MotGuidGen.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\RecoverFromReboot.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\RemoveMe.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\xerces-c_1_40_0_DDR.dll

c:\documents and settings\trader\Local Settings\Temporary Internet Files\acokoni.reg

c:\documents and settings\trader\Local Settings\Temporary Internet Files\fypijala.lib

c:\documents and settings\trader\Local Settings\Temporary Internet Files\gugy.exe

c:\documents and settings\trader\Local Settings\Temporary Internet Files\ifuzad.dat

c:\documents and settings\trader\Local Settings\Temporary Internet Files\ipuzucada.dat

c:\documents and settings\trader\Local Settings\Temporary Internet Files\izybijeku.pif

c:\documents and settings\trader\Local Settings\Temporary Internet Files\mavez.dat

c:\documents and settings\trader\Local Settings\Temporary Internet Files\ozemodenuf.ban

c:\documents and settings\trader\Local Settings\Temporary Internet Files\qysilymyk.dll

c:\documents and settings\trader\Local Settings\Temporary Internet Files\syqoryl.db

c:\documents and settings\trader\Local Settings\Temporary Internet Files\uqigasag.db

c:\documents and settings\trader\Local Settings\Temporary Internet Files\zykyzolif.scr

c:\documents and settings\trader\Local Settings\Temporary Internet Files\zypedav.inf

c:\documents and settings\trader\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk

c:\documents and settings\trader\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk

C:\HijackThis.exe

c:\program files\PC_Antispyware2010\AVEngn.dll

c:\program files\PC_Antispyware2010\data\daily.cvd

c:\program files\PC_Antispyware2010\htmlayout.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll

c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg

c:\program files\PC_Antispyware2010\pthreadVC2.dll

c:\program files\PC_Antispyware2010\wscui.cpl

c:\windows\run.log

c:\windows\system32\ditehahe.dll

c:\windows\system32\drivers\vsfoceiofmlwbi.sys.XXX

c:\windows\system32\dudeheru.dll

c:\windows\system32\fogebota.dll

c:\windows\system32\fopijunu.dll

c:\windows\system32\fovakike.dll

c:\windows\system32\gayuzime.dll

c:\windows\system32\gifitafa.dll

c:\windows\system32\havehawi.dll

c:\windows\system32\hebotezi.dll

c:\windows\system32\jabetuze.dll

c:\windows\system32\jayamuja.dll

c:\windows\system32\jinuriwa.dll

c:\windows\system32\jiwirido.dll

c:\windows\system32\jonefede.dll

c:\windows\system32\kemomupi.dll

c:\windows\system32\kimuremo.dll

c:\windows\system32\kiramega.dll

c:\windows\system32\kudinuho.dll

c:\windows\system32\malopebi.dll

c:\windows\system32\migukaho.dll

c:\windows\system32\mudagisi.dll

c:\windows\system32\najibite.dll

c:\windows\system32\peroruvo.dll

c:\windows\system32\rayefeku.dll

c:\windows\system32\razifazi.dll

c:\windows\system32\ripetate.dll

c:\windows\system32\rogavove.dll

c:\windows\system32\ruzomivu.dll

c:\windows\system32\tinonere.dll

c:\windows\system32\tizitiya.dll

c:\windows\system32\tolataga.dll

c:\windows\system32\vikewami.dll

c:\windows\system32\vuzibare.dll

c:\windows\system32\wujeluhe.dll

c:\windows\system32\yajosofo.dll

c:\windows\system32\yawususi.dll

c:\windows\system32\yejedufi.dll

c:\windows\system32\yeruduki.dll

c:\windows\system32\yokamuye.dll

c:\windows\system32\zabunego.dll

c:\windows\system32\zofegadi.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\MsPMSNSv.dll

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old

2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite

2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-08 18:37 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-08 18:37 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-08 18:37 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\program files\Avira

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-08 18:24 . 2009-08-08 18:24 19748 ----a-w- c:\documents and settings\trader\Application Data\vimobak.com

2009-08-08 18:24 . 2009-08-08 18:24 18816 ----a-w- c:\windows\xonarif.bat

2009-08-08 18:24 . 2009-08-08 18:24 18762 ----a-w- c:\windows\system32\sulefevo.dll

2009-08-08 18:24 . 2009-08-08 18:24 18012 ----a-w- c:\windows\ukefyruma.bin

2009-08-08 18:24 . 2009-08-08 18:24 17708 ----a-w- c:\windows\yrepa.scr

2009-08-08 18:24 . 2009-08-08 18:24 15560 ----a-w- c:\documents and settings\trader\Application Data\mygurecan.exe

2009-08-08 18:24 . 2009-08-08 18:24 13993 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

2009-08-08 18:24 . 2009-08-08 18:24 13046 ----a-w- c:\windows\system32\anuna.com

2009-08-08 18:24 . 2009-08-08 18:24 12129 ----a-w- c:\windows\muhyxoxujy.dll

2009-08-08 18:24 . 2009-08-08 18:24 11295 ----a-w- c:\documents and settings\trader\Application Data\nubike.sys

2009-08-08 18:24 . 2009-08-08 18:24 11063 ----a-w- c:\windows\uryq.scr

2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro

2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat

2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF

2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes

2009-08-08 11:08 . 2009-08-08 11:08 19329 ----a-w- c:\documents and settings\trader\Application Data\sepaqe.scr

2009-08-08 11:08 . 2009-08-08 11:08 17835 ----a-w- c:\program files\Common Files\cywumokofi.com

2009-08-08 11:08 . 2009-08-08 11:08 16109 ----a-w- c:\program files\Common Files\ixyqywiju.pif

2009-08-08 11:08 . 2009-08-08 11:08 15802 ----a-w- c:\program files\Common Files\rabeq.dat

2009-08-08 11:08 . 2009-08-08 11:08 11504 ----a-w- c:\windows\system32\buxy.com

2009-08-08 11:08 . 2009-08-08 11:08 11017 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\adec.pif

2009-08-08 11:08 . 2009-08-08 11:08 18402 ----a-w- c:\windows\kuhe.pif

2009-08-08 11:08 . 2009-08-08 11:08 18655 ----a-w- c:\windows\system32\himajil.reg

2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-08 02:03 . 2009-08-18 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-08 01:46 . 2009-08-08 01:46 19761 ----a-w- c:\windows\system32\gibake.com

2009-08-08 01:46 . 2009-08-08 01:46 19260 ----a-w- c:\documents and settings\All Users\Application Data\jatyd.dll

2009-08-08 01:46 . 2009-08-08 01:46 18328 ----a-w- c:\windows\nyrowil.scr

2009-08-08 01:46 . 2009-08-08 01:46 17775 ----a-w- c:\windows\esamebus.pif

2009-08-08 01:46 . 2009-08-08 01:46 17481 ----a-w- c:\windows\otiwa.exe

2009-08-08 01:46 . 2009-08-08 01:46 15762 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

2009-08-08 01:46 . 2009-08-08 01:46 15135 ----a-w- c:\windows\ebac.sys

2009-08-08 01:46 . 2009-08-08 01:46 13369 ----a-w- c:\windows\urexe.pif

2009-08-08 01:46 . 2009-08-08 01:46 12781 ----a-w- c:\windows\depih.bin

2009-08-08 01:46 . 2009-08-08 01:46 11231 ----a-w- c:\documents and settings\trader\Application Data\ynyl.sys

2009-08-08 01:42 . 2009-08-08 01:43 -------- d-----w- c:\documents and settings\trader\Application Data\MalwareRemovalBot

2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla

2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 21:57 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM

2009-08-19 21:28 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-19 20:05 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC

2009-08-19 11:39 . 2009-05-19 11:39 84992 --sha-w- c:\windows\system32\megumipa.dll

2009-08-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\guhegeni.dll

2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java

2009-08-08 18:24 . 2009-08-08 18:24 14108 ----a-w- c:\program files\Common Files\gyjy.dl

2009-08-08 14:45 . 2009-05-08 14:45 85504 --sha-w- c:\windows\system32\kelewaba.dll

2009-08-08 11:08 . 2009-08-08 11:08 15364 ----a-w- c:\documents and settings\trader\Application Data\uhevin.vbs

2009-08-08 11:08 . 2009-08-08 11:08 10704 ----a-w- c:\program files\Common Files\baxos._sy

2009-08-08 10:18 . 2009-08-08 10:18 10479 ----a-w- c:\documents and settings\All Users\Application Data\ronamon.vbs

2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood

2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars

2009-08-08 01:46 . 2009-08-08 01:46 17723 ----a-w- c:\program files\Common Files\ubipos._sy

2009-08-07 22:15 . 2009-05-07 22:15 84480 --sha-w- c:\windows\system32\zupejaku.dll

2009-08-07 20:19 . 2004-08-12 13:17 30208 ----a-w- c:\windows\system32\drivers\beep.sys.XXX

2009-08-07 13:22 . 2009-08-07 13:22 54784 ----a-w- c:\windows\system32\drivers\UACirqpbpxdlt.sys.XXX

2009-08-07 13:11 . 2009-08-07 13:11 1215624 ----a-w- c:\windows\system32\xa.tmp

2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck

2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\lepopoka.dll

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\ravufuge.dll.tmp

2009-05-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\sodofewa.dll

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\yiwuyipa.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c59d7222-e38b-4403-bc69-6e5ac7767927}]

2009-05-18 23:39 49664 --sha-w- c:\windows\system32\sodofewa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"lezuhorose"="c:\windows\system32\lepopoka.dll" [2009-05-18 49664]

"CPM87219719"="c:\windows\system32\megumipa.dll" [2009-08-19 84992]

c:\documents and settings\trader\Start Menu\Programs\Startup\

dmaupd32.exe.XXX [2008-4-13 28160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776]

KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\megumipa.dll" [2009-08-19 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\megumipa.dll [2009-08-19 84992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\eSignal\\winros.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

"c:\\WINDOWS\\explorer.exe"=

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 17:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3680)

c:\windows\system32\WININET.dll

c:\windows\system32\lepopoka.dll

c:\windows\system32\megumipa.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2009-08-19 18:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 22:00

Pre-Run: 30,828,244,992 bytes free

Post-Run: 30,780,985,344 bytes free

576 --- E O F --- 2009-07-30 07:01

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Collect::

c:\documents and settings\trader\Application Data\vimobak.com

c:\windows\xonarif.bat

c:\windows\system32\sulefevo.dll

c:\windows\ukefyruma.bin

c:\windows\yrepa.scr

c:\documents and settings\trader\Application Data\mygurecan.exe

c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

c:\windows\system32\anuna.com

c:\windows\muhyxoxujy.dll

c:\documents and settings\trader\Application Data\nubike.sys

c:\windows\uryq.scr

c:\documents and settings\trader\Application Data\sepaqe.scr

c:\program files\Common Files\cywumokofi.com

c:\program files\Common Files\ixyqywiju.pif

c:\program files\Common Files\rabeq.dat

c:\windows\system32\buxy.com

c:\documents and settings\trader\Local Settings\Application Data\adec.pif

c:\windows\kuhe.pif

c:\windows\system32\himajil.reg

c:\windows\system32\gibake.com

c:\documents and settings\All Users\Application Data\jatyd.dll

c:\windows\nyrowil.scr

c:\windows\esamebus.pif

c:\windows\otiwa.exe

c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

c:\windows\ebac.sys

c:\windows\urexe.pif

c:\windows\depih.bin

c:\documents and settings\trader\Application Data\ynyl.sys

c:\documents and settings\trader\Application Data\MalwareRemovalBot

Driver::

Viewpoint Manager Service

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Combo log

ComboFix 09-08-18.04 - trader 08/19/2009 17:50.2.2 - NTFSx86

Running from: c:\documents and settings\trader\Desktop\Combo-Fix..exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BaseWN.3-2-0.ddr.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJBase_2-4-1_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJNet_2-4-0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\BJXSLT_1_0_ddr.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\CustomActiveX.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\libeay32_1-1-0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Marshaller.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\mfc42.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\msvcrt.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\backAtoB.exe.XXX

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cleanup.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cmuninst.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\cpicon.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\delsbc.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\BJAXSecurityManager.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\BJInstaller.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\RGWInterfaces_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\RGWLib_2-0-0_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\DLLs\TrustInhouse.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\EnetChk.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRD.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\Efficient\NTSRR2.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\icons.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\InitSST.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\LnchSST.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\removeicons.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\ActiveUtils.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\BJAXSecurityManager.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\BJInstaller.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\chorus.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\csshim.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\EnCmnSvr.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\EniCommon.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\enisnmp.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\InstallHelper.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\McciCPEX.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\mccupdate.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\MCCWrapper_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis4.sys

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis5.sys

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\Prox.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWInterfaces_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWLib_2-0-0_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Chorus\W32n50.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\closeAll.exe.XXX

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\CustomUninstall.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\EndProcess.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\KillWindow2.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\mad.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCCleanup.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCDevice.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCDNSHLP_1-0-0_DSR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCEmbInstall.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\McciCPEX_2_DSR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCSilent.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MCCUninst.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\MotiveBrowser.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\McciControlInstaller_DSR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\McciCoreInstaller_DSR.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Package\NoRun.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\psapi.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\resource.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\StartAsync.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\Uninstall.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\UpdateSC.EXE

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\util.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\vdmdbg.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\ssleay32_1-1-0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\stlport_4_0_0_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\wffDDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WinUtils3_DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\AddDictionaryInt.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicInt.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicStr.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CopyFiles.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CoreObjects.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\CPUSpeed.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\DictionaryWindow.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\DirAndFilePaths.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExitHostApp.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtEvntMngr.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtractListEntry.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtractZipFile.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ExtrnlEvntLstnr.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\FileReadWrite.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GetPhoneBookEntries.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GlobalDicAndRepEnt.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\GlobalDicCompare.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HTMLDisplayProps.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HtmlFormInput.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\HttpPost.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IniFileReaderWriter.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsAdministrator.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsIEInstalled.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\IsNetscapeInstalled.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\LaunchProgram.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Logger.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\OsDetect.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\PrintAscii.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Profile.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RamSize.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RebootSystem.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\RegManipulation.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Report.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SaveReport.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\ScriptRunner.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SglDisplay.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SimpleHostApp.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SleepNode.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringFormat.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringListPatMatch.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\StringReplace.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SubstringExtraction.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\SysDriveSpace.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\TcpIpConnectionTest.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\WaitOnWindow.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\WindowClicker.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\XmlParserNode.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\XmlToString.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Bin\Zipit.DDR.dll

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\AgentKiller.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\curl.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DeleteAll.EXE

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DeleteLegacyFolders.EXE

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\DLFile.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\FixXPDun.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\GetVersion.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\LaunchDSLIcon.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\MotGuidGen.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\RecoverFromReboot.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\WorkFlow\Extra\RemoveMe.exe

c:\docume~1\trader\LOCALS~1\Temp\WebInstaller\xerces-c_1_40_0_DDR.dll

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\trader\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk

c:\documents and settings\trader\Application Data\wiaserva.log

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BaseWN.3-2-0.ddr.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJBase_2-4-1_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJNet_2-4-0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\BJXSLT_1_0_ddr.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\CustomActiveX.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\libeay32_1-1-0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Marshaller.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\mfc42.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\msvcrt.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\backAtoB.exe.XXX

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cleanup.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cmuninst.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\cpicon.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\delsbc.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\BJAXSecurityManager.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\BJInstaller.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\RGWInterfaces_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\RGWLib_2-0-0_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\DLLs\TrustInhouse.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\EnetChk.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRD.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\Efficient\NTSRR2.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\icons.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\InitSST.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\LnchSST.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\removeicons.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\ActiveUtils.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\BJAXSecurityManager.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\BJInstaller.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\chorus.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\csshim.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\EnCmnSvr.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\EniCommon.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\enisnmp.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\InstallHelper.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\McciCPEX.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\mccupdate.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\MCCWrapper_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis4.sys

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Pcandis5.sys

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\Prox.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWInterfaces_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\RGWLib_2-0-0_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Chorus\W32n50.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\closeAll.exe.XXX

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\CustomUninstall.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\EndProcess.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\KillWindow2.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\mad.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCCleanup.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCDevice.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCDNSHLP_1-0-0_DSR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCEmbInstall.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\McciCPEX_2_DSR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCSilent.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MCCUninst.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\MotiveBrowser.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\McciControlInstaller_DSR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\McciCoreInstaller_DSR.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Package\NoRun.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\psapi.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\resource.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\StartAsync.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\Uninstall.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\UpdateSC.EXE

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\util.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\vdmdbg.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\ssleay32_1-1-0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\stlport_4_0_0_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\wffDDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WinUtils3_DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\AddDictionaryInt.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicInt.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CompareGlobalDicStr.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CopyFiles.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CoreObjects.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\CPUSpeed.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\DictionaryWindow.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\DirAndFilePaths.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExitHostApp.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtEvntMngr.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtractListEntry.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtractZipFile.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ExtrnlEvntLstnr.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\FileReadWrite.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GetPhoneBookEntries.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GlobalDicAndRepEnt.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\GlobalDicCompare.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HTMLDisplayProps.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HtmlFormInput.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\HttpPost.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IniFileReaderWriter.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsAdministrator.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsIEInstalled.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\IsNetscapeInstalled.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\LaunchProgram.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Logger.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\OsDetect.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\PrintAscii.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Profile.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RamSize.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RebootSystem.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\RegManipulation.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Report.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SaveReport.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\ScriptRunner.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SglDisplay.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SimpleHostApp.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SleepNode.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringFormat.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringListPatMatch.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\StringReplace.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SubstringExtraction.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\SysDriveSpace.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\TcpIpConnectionTest.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\WaitOnWindow.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\WindowClicker.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\XmlParserNode.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\XmlToString.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Bin\Zipit.DDR.dll

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\AgentKiller.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\curl.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DeleteAll.EXE

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DeleteLegacyFolders.EXE

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\DLFile.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\FixXPDun.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\GetVersion.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\LaunchDSLIcon.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\MotGuidGen.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\RecoverFromReboot.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\WorkFlow\Extra\RemoveMe.exe

c:\documents and settings\trader\Local Settings\Temp\WebInstaller\xerces-c_1_40_0_DDR.dll

c:\documents and settings\trader\Local Settings\Temporary Internet Files\acokoni.reg

c:\documents and settings\trader\Local Settings\Temporary Internet Files\fypijala.lib

c:\documents and settings\trader\Local Settings\Temporary Internet Files\gugy.exe

c:\documents and settings\trader\Local Settings\Temporary Internet Files\ifuzad.dat

c:\documents and settings\trader\Local Settings\Temporary Internet Files\ipuzucada.dat

c:\documents and settings\trader\Local Settings\Temporary Internet Files\izybijeku.pif

c:\documents and settings\trader\Local Settings\Temporary Internet Files\mavez.dat

c:\documents and settings\trader\Local Settings\Temporary Internet Files\ozemodenuf.ban

c:\documents and settings\trader\Local Settings\Temporary Internet Files\qysilymyk.dll

c:\documents and settings\trader\Local Settings\Temporary Internet Files\syqoryl.db

c:\documents and settings\trader\Local Settings\Temporary Internet Files\uqigasag.db

c:\documents and settings\trader\Local Settings\Temporary Internet Files\zykyzolif.scr

c:\documents and settings\trader\Local Settings\Temporary Internet Files\zypedav.inf

c:\documents and settings\trader\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk

c:\documents and settings\trader\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk

C:\HijackThis.exe

c:\program files\PC_Antispyware2010\AVEngn.dll

c:\program files\PC_Antispyware2010\data\daily.cvd

c:\program files\PC_Antispyware2010\htmlayout.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll

c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg

c:\program files\PC_Antispyware2010\pthreadVC2.dll

c:\program files\PC_Antispyware2010\wscui.cpl

c:\windows\run.log

c:\windows\system32\ditehahe.dll

c:\windows\system32\drivers\vsfoceiofmlwbi.sys.XXX

c:\windows\system32\dudeheru.dll

c:\windows\system32\fogebota.dll

c:\windows\system32\fopijunu.dll

c:\windows\system32\fovakike.dll

c:\windows\system32\gayuzime.dll

c:\windows\system32\gifitafa.dll

c:\windows\system32\havehawi.dll

c:\windows\system32\hebotezi.dll

c:\windows\system32\jabetuze.dll

c:\windows\system32\jayamuja.dll

c:\windows\system32\jinuriwa.dll

c:\windows\system32\jiwirido.dll

c:\windows\system32\jonefede.dll

c:\windows\system32\kemomupi.dll

c:\windows\system32\kimuremo.dll

c:\windows\system32\kiramega.dll

c:\windows\system32\kudinuho.dll

c:\windows\system32\malopebi.dll

c:\windows\system32\migukaho.dll

c:\windows\system32\mudagisi.dll

c:\windows\system32\najibite.dll

c:\windows\system32\peroruvo.dll

c:\windows\system32\rayefeku.dll

c:\windows\system32\razifazi.dll

c:\windows\system32\ripetate.dll

c:\windows\system32\rogavove.dll

c:\windows\system32\ruzomivu.dll

c:\windows\system32\tinonere.dll

c:\windows\system32\tizitiya.dll

c:\windows\system32\tolataga.dll

c:\windows\system32\vikewami.dll

c:\windows\system32\vuzibare.dll

c:\windows\system32\wujeluhe.dll

c:\windows\system32\yajosofo.dll

c:\windows\system32\yawususi.dll

c:\windows\system32\yejedufi.dll

c:\windows\system32\yeruduki.dll

c:\windows\system32\yokamuye.dll

c:\windows\system32\zabunego.dll

c:\windows\system32\zofegadi.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\MsPMSNSv.dll

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old

2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite

2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-08 18:37 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-08 18:37 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-08 18:37 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\program files\Avira

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-08 18:24 . 2009-08-08 18:24 19748 ----a-w- c:\documents and settings\trader\Application Data\vimobak.com

2009-08-08 18:24 . 2009-08-08 18:24 18816 ----a-w- c:\windows\xonarif.bat

2009-08-08 18:24 . 2009-08-08 18:24 18762 ----a-w- c:\windows\system32\sulefevo.dll

2009-08-08 18:24 . 2009-08-08 18:24 18012 ----a-w- c:\windows\ukefyruma.bin

2009-08-08 18:24 . 2009-08-08 18:24 17708 ----a-w- c:\windows\yrepa.scr

2009-08-08 18:24 . 2009-08-08 18:24 15560 ----a-w- c:\documents and settings\trader\Application Data\mygurecan.exe

2009-08-08 18:24 . 2009-08-08 18:24 13993 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

2009-08-08 18:24 . 2009-08-08 18:24 13046 ----a-w- c:\windows\system32\anuna.com

2009-08-08 18:24 . 2009-08-08 18:24 12129 ----a-w- c:\windows\muhyxoxujy.dll

2009-08-08 18:24 . 2009-08-08 18:24 11295 ----a-w- c:\documents and settings\trader\Application Data\nubike.sys

2009-08-08 18:24 . 2009-08-08 18:24 11063 ----a-w- c:\windows\uryq.scr

2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro

2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat

2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF

2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes

2009-08-08 11:08 . 2009-08-08 11:08 19329 ----a-w- c:\documents and settings\trader\Application Data\sepaqe.scr

2009-08-08 11:08 . 2009-08-08 11:08 17835 ----a-w- c:\program files\Common Files\cywumokofi.com

2009-08-08 11:08 . 2009-08-08 11:08 16109 ----a-w- c:\program files\Common Files\ixyqywiju.pif

2009-08-08 11:08 . 2009-08-08 11:08 15802 ----a-w- c:\program files\Common Files\rabeq.dat

2009-08-08 11:08 . 2009-08-08 11:08 11504 ----a-w- c:\windows\system32\buxy.com

2009-08-08 11:08 . 2009-08-08 11:08 11017 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\adec.pif

2009-08-08 11:08 . 2009-08-08 11:08 18402 ----a-w- c:\windows\kuhe.pif

2009-08-08 11:08 . 2009-08-08 11:08 18655 ----a-w- c:\windows\system32\himajil.reg

2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-08 02:03 . 2009-08-18 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-08 01:46 . 2009-08-08 01:46 19761 ----a-w- c:\windows\system32\gibake.com

2009-08-08 01:46 . 2009-08-08 01:46 19260 ----a-w- c:\documents and settings\All Users\Application Data\jatyd.dll

2009-08-08 01:46 . 2009-08-08 01:46 18328 ----a-w- c:\windows\nyrowil.scr

2009-08-08 01:46 . 2009-08-08 01:46 17775 ----a-w- c:\windows\esamebus.pif

2009-08-08 01:46 . 2009-08-08 01:46 17481 ----a-w- c:\windows\otiwa.exe

2009-08-08 01:46 . 2009-08-08 01:46 15762 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

2009-08-08 01:46 . 2009-08-08 01:46 15135 ----a-w- c:\windows\ebac.sys

2009-08-08 01:46 . 2009-08-08 01:46 13369 ----a-w- c:\windows\urexe.pif

2009-08-08 01:46 . 2009-08-08 01:46 12781 ----a-w- c:\windows\depih.bin

2009-08-08 01:46 . 2009-08-08 01:46 11231 ----a-w- c:\documents and settings\trader\Application Data\ynyl.sys

2009-08-08 01:42 . 2009-08-08 01:43 -------- d-----w- c:\documents and settings\trader\Application Data\MalwareRemovalBot

2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla

2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 21:57 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM

2009-08-19 21:28 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-19 20:05 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC

2009-08-19 11:39 . 2009-05-19 11:39 84992 --sha-w- c:\windows\system32\megumipa.dll

2009-08-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\guhegeni.dll

2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java

2009-08-08 18:24 . 2009-08-08 18:24 14108 ----a-w- c:\program files\Common Files\gyjy.dl

2009-08-08 14:45 . 2009-05-08 14:45 85504 --sha-w- c:\windows\system32\kelewaba.dll

2009-08-08 11:08 . 2009-08-08 11:08 15364 ----a-w- c:\documents and settings\trader\Application Data\uhevin.vbs

2009-08-08 11:08 . 2009-08-08 11:08 10704 ----a-w- c:\program files\Common Files\baxos._sy

2009-08-08 10:18 . 2009-08-08 10:18 10479 ----a-w- c:\documents and settings\All Users\Application Data\ronamon.vbs

2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood

2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars

2009-08-08 01:46 . 2009-08-08 01:46 17723 ----a-w- c:\program files\Common Files\ubipos._sy

2009-08-07 22:15 . 2009-05-07 22:15 84480 --sha-w- c:\windows\system32\zupejaku.dll

2009-08-07 20:19 . 2004-08-12 13:17 30208 ----a-w- c:\windows\system32\drivers\beep.sys.XXX

2009-08-07 13:22 . 2009-08-07 13:22 54784 ----a-w- c:\windows\system32\drivers\UACirqpbpxdlt.sys.XXX

2009-08-07 13:11 . 2009-08-07 13:11 1215624 ----a-w- c:\windows\system32\xa.tmp

2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck

2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\lepopoka.dll

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\ravufuge.dll.tmp

2009-05-18 23:39 . 2009-05-18 23:39 49664 --sha-w- c:\windows\system32\sodofewa.dll

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\yiwuyipa.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c59d7222-e38b-4403-bc69-6e5ac7767927}]

2009-05-18 23:39 49664 --sha-w- c:\windows\system32\sodofewa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"lezuhorose"="c:\windows\system32\lepopoka.dll" [2009-05-18 49664]

"CPM87219719"="c:\windows\system32\megumipa.dll" [2009-08-19 84992]

c:\documents and settings\trader\Start Menu\Programs\Startup\

dmaupd32.exe.XXX [2008-4-13 28160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776]

KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\megumipa.dll" [2009-08-19 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\megumipa.dll [2009-08-19 84992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\eSignal\\winros.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

"c:\\WINDOWS\\explorer.exe"=

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 17:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3680)

c:\windows\system32\WININET.dll

c:\windows\system32\lepopoka.dll

c:\windows\system32\megumipa.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2009-08-19 18:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 22:00

Pre-Run: 30,828,244,992 bytes free

Post-Run: 30,780,985,344 bytes free

576 --- E O F --- 2009-07-30 07:01

Malware log

Malwarebytes' Anti-Malware 1.40

Database version: 2659

Windows 5.1.2600 Service Pack 3

8/19/2009 6:29:36 PM

mbam-log-2009-08-19 (18-29-36).txt

Scan type: Quick Scan

Objects scanned: 80259

Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 5

Registry Values Infected: 5

Registry Data Items Infected: 6

Folders Infected: 3

Files Infected: 23

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\megumipa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\lepopoka.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c59d7222-e38b-4403-bc69-6e5ac7767927} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{c59d7222-e38b-4403-bc69-6e5ac7767927} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c59d7222-e38b-4403-bc69-6e5ac7767927} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lezuhorose (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm87219719 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\megumipa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\megumipa.dll -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\lepopoka.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\megumipa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\sodofewa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Start Menu\Programs\Startup\dmaupd32.exe.XXX (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\guhegeni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACirqpbpxdlt.sys.XXX (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\beep.sys.XXX (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 09_42_50 PM_640.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 09_53_56 PM_703.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 09_54_11 PM_968.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_07_11 PM_312.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_14_18 PM_000.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_25_36 PM_296.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 07 - 10_47_35 PM_500.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_17_47 AM_562.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_20_58 AM_328.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_25_45 AM_609.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Log\2009 Aug 08 - 06_38_54 AM_390.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zupejaku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\trader\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ran combo then ran Malware bytes. Then ran combo again with your CFScript command. Here is the latest log.

ComboFix 09-08-18.04 - trader 08/19/2009 18:47.3.2 - NTFSx86

Running from: c:\documents and settings\trader\Desktop\Combo-Fix..exe

Command switches used :: c:\documents and settings\trader\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

file zipped: c:\documents and settings\All Users\Application Data\jatyd.dll

file zipped: c:\documents and settings\trader\Application Data\mygurecan.exe

file zipped: c:\documents and settings\trader\Application Data\nubike.sys

file zipped: c:\documents and settings\trader\Application Data\sepaqe.scr

file zipped: c:\documents and settings\trader\Application Data\vimobak.com

file zipped: c:\documents and settings\trader\Application Data\ynyl.sys

file zipped: c:\documents and settings\trader\Local Settings\Application Data\adec.pif

file zipped: c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

file zipped: c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

file zipped: c:\program files\Common Files\cywumokofi.com

file zipped: c:\program files\Common Files\ixyqywiju.pif

file zipped: c:\program files\Common Files\rabeq.dat

file zipped: c:\windows\depih.bin

file zipped: c:\windows\ebac.sys

file zipped: c:\windows\esamebus.pif

file zipped: c:\windows\kuhe.pif

file zipped: c:\windows\muhyxoxujy.dll

file zipped: c:\windows\nyrowil.scr

file zipped: c:\windows\otiwa.exe

file zipped: c:\windows\system32\anuna.com

file zipped: c:\windows\system32\buxy.com

file zipped: c:\windows\system32\gibake.com

file zipped: c:\windows\system32\himajil.reg

file zipped: c:\windows\system32\sulefevo.dll

file zipped: c:\windows\ukefyruma.bin

file zipped: c:\windows\urexe.pif

file zipped: c:\windows\uryq.scr

file zipped: c:\windows\xonarif.bat

file zipped: c:\windows\yrepa.scr

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\jatyd.dll

c:\documents and settings\trader\Application Data\mygurecan.exe

c:\documents and settings\trader\Application Data\nubike.sys

c:\documents and settings\trader\Application Data\sepaqe.scr

c:\documents and settings\trader\Application Data\vimobak.com

c:\documents and settings\trader\Application Data\ynyl.sys

c:\documents and settings\trader\Local Settings\Application Data\adec.pif

c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

c:\program files\Common Files\cywumokofi.com

c:\program files\Common Files\ixyqywiju.pif

c:\program files\Common Files\rabeq.dat

c:\windows\depih.bin

c:\windows\ebac.sys

c:\windows\esamebus.pif

c:\windows\kuhe.pif

c:\windows\muhyxoxujy.dll

c:\windows\nyrowil.scr

c:\windows\otiwa.exe

c:\windows\system32\anuna.com

c:\windows\system32\buxy.com

c:\windows\system32\gibake.com

c:\windows\system32\himajil.reg

c:\windows\system32\sulefevo.dll

c:\windows\ukefyruma.bin

c:\windows\urexe.pif

c:\windows\uryq.scr

c:\windows\xonarif.bat

c:\windows\yrepa.scr

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE

-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old

2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite

2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-08 18:37 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-08 18:37 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-08 18:37 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\program files\Avira

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro

2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat

2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF

2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes

2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-08 02:03 . 2009-08-19 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla

2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 22:53 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM

2009-08-19 22:37 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-19 20:05 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC

2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java

2009-08-08 18:24 . 2009-08-08 18:24 14108 ----a-w- c:\program files\Common Files\gyjy.dl

2009-08-08 14:45 . 2009-05-08 14:45 85504 --sha-w- c:\windows\system32\kelewaba.dll

2009-08-08 11:08 . 2009-08-08 11:08 15364 ----a-w- c:\documents and settings\trader\Application Data\uhevin.vbs

2009-08-08 11:08 . 2009-08-08 11:08 10704 ----a-w- c:\program files\Common Files\baxos._sy

2009-08-08 10:18 . 2009-08-08 10:18 10479 ----a-w- c:\documents and settings\All Users\Application Data\ronamon.vbs

2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood

2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars

2009-08-08 01:46 . 2009-08-08 01:46 17723 ----a-w- c:\program files\Common Files\ubipos._sy

2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck

2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\ravufuge.dll.tmp

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\yiwuyipa.dll.tmp

.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_21.57.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-19 22:53 . 2009-08-19 22:53 16384 c:\windows\Temp\Perflib_Perfdata_670.dat

+ 2004-08-12 13:26 . 2009-08-19 22:39 39992 c:\windows\system32\perfc009.dat

- 2004-08-12 13:26 . 2009-08-19 21:51 39992 c:\windows\system32\perfc009.dat

+ 2004-08-12 13:26 . 2009-08-19 22:39 311604 c:\windows\system32\perfh009.dat

- 2004-08-12 13:26 . 2009-08-19 21:51 311604 c:\windows\system32\perfh009.dat

+ 2009-08-19 22:38 . 2009-07-29 21:49 24281536 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776]

KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\eSignal\\winros.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360]

S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 18:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(664)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-19 18:58 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 22:57

ComboFix2.txt 2009-08-19 22:01

Pre-Run: 30,675,972,096 bytes free

Post-Run: 30,632,742,912 bytes free

233 --- E O F --- 2009-08-19 22:39

Link to post
Share on other sites

ran combo then ran Malware bytes. Then ran combo again with your CFScript command. Here is the latest log.

ComboFix 09-08-18.04 - trader 08/19/2009 18:47.3.2 - NTFSx86

Running from: c:\documents and settings\trader\Desktop\Combo-Fix..exe

Command switches used :: c:\documents and settings\trader\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

file zipped: c:\documents and settings\All Users\Application Data\jatyd.dll

file zipped: c:\documents and settings\trader\Application Data\mygurecan.exe

file zipped: c:\documents and settings\trader\Application Data\nubike.sys

file zipped: c:\documents and settings\trader\Application Data\sepaqe.scr

file zipped: c:\documents and settings\trader\Application Data\vimobak.com

file zipped: c:\documents and settings\trader\Application Data\ynyl.sys

file zipped: c:\documents and settings\trader\Local Settings\Application Data\adec.pif

file zipped: c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

file zipped: c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

file zipped: c:\program files\Common Files\cywumokofi.com

file zipped: c:\program files\Common Files\ixyqywiju.pif

file zipped: c:\program files\Common Files\rabeq.dat

file zipped: c:\windows\depih.bin

file zipped: c:\windows\ebac.sys

file zipped: c:\windows\esamebus.pif

file zipped: c:\windows\kuhe.pif

file zipped: c:\windows\muhyxoxujy.dll

file zipped: c:\windows\nyrowil.scr

file zipped: c:\windows\otiwa.exe

file zipped: c:\windows\system32\anuna.com

file zipped: c:\windows\system32\buxy.com

file zipped: c:\windows\system32\gibake.com

file zipped: c:\windows\system32\himajil.reg

file zipped: c:\windows\system32\sulefevo.dll

file zipped: c:\windows\ukefyruma.bin

file zipped: c:\windows\urexe.pif

file zipped: c:\windows\uryq.scr

file zipped: c:\windows\xonarif.bat

file zipped: c:\windows\yrepa.scr

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\jatyd.dll

c:\documents and settings\trader\Application Data\mygurecan.exe

c:\documents and settings\trader\Application Data\nubike.sys

c:\documents and settings\trader\Application Data\sepaqe.scr

c:\documents and settings\trader\Application Data\vimobak.com

c:\documents and settings\trader\Application Data\ynyl.sys

c:\documents and settings\trader\Local Settings\Application Data\adec.pif

c:\documents and settings\trader\Local Settings\Application Data\gyky.bin

c:\documents and settings\trader\Local Settings\Application Data\uwoqaw.scr

c:\program files\Common Files\cywumokofi.com

c:\program files\Common Files\ixyqywiju.pif

c:\program files\Common Files\rabeq.dat

c:\windows\depih.bin

c:\windows\ebac.sys

c:\windows\esamebus.pif

c:\windows\kuhe.pif

c:\windows\muhyxoxujy.dll

c:\windows\nyrowil.scr

c:\windows\otiwa.exe

c:\windows\system32\anuna.com

c:\windows\system32\buxy.com

c:\windows\system32\gibake.com

c:\windows\system32\himajil.reg

c:\windows\system32\sulefevo.dll

c:\windows\ukefyruma.bin

c:\windows\urexe.pif

c:\windows\uryq.scr

c:\windows\xonarif.bat

c:\windows\yrepa.scr

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE

-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 21:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-17 20:45 . 2009-08-17 20:45 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-17 20:45 . 2009-08-17 20:46 -------- d-----w- c:\windows\system32\wbem\autorecover

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\repository.old

2009-08-17 20:34 . 2009-08-17 20:34 -------- d-----w- c:\windows\system32\wbem\autorecover.old

2009-08-08 19:27 . 2009-08-08 21:37 -------- d-----w- c:\program files\Carbonite

2009-08-08 19:26 . 2009-08-08 19:26 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-08 18:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-08 18:37 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-08 18:37 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-08 18:37 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\program files\Avira

2009-08-08 18:37 . 2009-08-08 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-08 18:16 . 2009-08-08 18:16 -------- d-----w- c:\program files\Trend Micro

2009-08-08 16:17 . 2009-08-08 16:19 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-08 15:43 . 2009-08-08 16:48 15 ----a-w- c:\documents and settings\trader\settings.dat

2009-08-08 15:39 . 2009-08-08 15:39 -------- d--h--w- c:\windows\PIF

2009-08-08 15:23 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-08 15:23 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\documents and settings\trader\Application Data\Malwarebytes

2009-08-08 02:03 . 2009-08-08 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-08 02:03 . 2009-08-19 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-08 00:05 . 2009-08-08 00:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-07 21:59 . 2009-08-07 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla

2009-08-07 20:19 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-08-07 20:19 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-07 20:19 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-07 20:18 . 2009-08-11 12:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-07 20:18 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-08-07 20:18 . 2009-08-12 11:33 -------- d-----w- c:\program files\Spyware Doctor

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\trader\Application Data\PC Tools

2009-08-07 20:18 . 2009-08-07 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-05 11:57 . 2009-08-05 11:57 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 22:53 . 2009-04-21 12:53 -------- d-----w- c:\program files\KaVoom! KM

2009-08-19 22:37 . 2009-05-05 22:30 2836 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-19 20:05 . 2007-07-16 14:26 -------- d-----w- c:\program files\mIRC

2009-08-14 01:30 . 2006-06-14 17:31 13104 ----a-w- c:\documents and settings\trader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-08 19:26 . 2007-07-18 14:00 -------- d-----w- c:\program files\Java

2009-08-08 18:24 . 2009-08-08 18:24 14108 ----a-w- c:\program files\Common Files\gyjy.dl

2009-08-08 14:45 . 2009-05-08 14:45 85504 --sha-w- c:\windows\system32\kelewaba.dll

2009-08-08 11:08 . 2009-08-08 11:08 15364 ----a-w- c:\documents and settings\trader\Application Data\uhevin.vbs

2009-08-08 11:08 . 2009-08-08 11:08 10704 ----a-w- c:\program files\Common Files\baxos._sy

2009-08-08 10:18 . 2009-08-08 10:18 10479 ----a-w- c:\documents and settings\All Users\Application Data\ronamon.vbs

2009-08-08 01:57 . 2006-05-15 15:25 -------- d-----w- c:\program files\Blackwood

2009-08-08 01:56 . 2006-06-12 14:49 -------- d-----w- c:\program files\PokerStars

2009-08-08 01:46 . 2009-08-08 01:46 17723 ----a-w- c:\program files\Common Files\ubipos._sy

2009-08-05 11:57 . 2009-06-19 12:39 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-08-05 11:57 . 2009-06-19 12:39 38208 ----a-w- c:\documents and settings\trader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-25 09:23 . 2009-05-27 20:28 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-08 23:19 . 2009-07-08 23:19 -------- d-----w- c:\program files\TweetDeck

2009-07-03 17:09 . 2004-08-12 13:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2004-08-12 13:26 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-27 20:23 . 2009-05-27 20:23 152576 ----a-w- c:\documents and settings\trader\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\ravufuge.dll.tmp

2009-05-07 21:07 . 2009-05-07 21:07 49664 --sha-w- c:\windows\system32\yiwuyipa.dll.tmp

.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_21.57.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-19 22:53 . 2009-08-19 22:53 16384 c:\windows\Temp\Perflib_Perfdata_670.dat

+ 2004-08-12 13:26 . 2009-08-19 22:39 39992 c:\windows\system32\perfc009.dat

- 2004-08-12 13:26 . 2009-08-19 21:51 39992 c:\windows\system32\perfc009.dat

+ 2004-08-12 13:26 . 2009-08-19 22:39 311604 c:\windows\system32\perfh009.dat

- 2004-08-12 13:26 . 2009-08-19 21:51 311604 c:\windows\system32\perfh009.dat

+ 2009-08-19 22:38 . 2009-07-29 21:49 24281536 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-5-25 1524776]

KaVoom! KM.lnk - c:\program files\KaVoom! KM\KaVoomKM.exe [2007-1-31 1679360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\eSignal\\winros.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-12-13 10752]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 KaVoom! KM;KaVoom! KM;c:\program files\KaVoom! KM\kavoomkm.exe [2007-01-31 1679360]

S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-12-13 27008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\trader\Application Data\Mozilla\Firefox\Profiles\xm8ek33n.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 18:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(664)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wdfmgr.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-19 18:58 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 22:57

ComboFix2.txt 2009-08-19 22:01

Pre-Run: 30,675,972,096 bytes free

Post-Run: 30,632,742,912 bytes free

233 --- E O F --- 2009-08-19 22:39

Link to post
Share on other sites

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

      You can refer to this animation by neomage if needed.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.