virus/spyware removal " system security" virus

got tagged with this today and can't open or download any program to cure.. need your help. running xp. thanks.

Please download SilentRunners from here:
RIGHT CLICK HERE

Right click the link, then select "Save target as...", or "Save link as..." depending on which browser your using.

Then when it's downloaded, double click the vbs file to run it.
See if it will run or not. Allow 3-5minutes for it to run fully.

If it runs, it will make a log file, copy and paste the log back here.

tried to save vbs script file allowed to save 391kb of silent runner file not sure if entire file was downloaded, will not allow me to open run script file..keeps blocking..??

Hello can you run Hijackthis?


Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

no luck, same as before, can save install, but will not open, I receive a message " forbidden i do not have premission to access/doin on this server. appache server at "track oainternet services.com port 80".. ????

Can you download MGTools?
http://forums.majorgeeks.com/chaslang/files/MGtools.exe

it appears I was able to download a 1.27mb file.. ?

Can you follow the instructions in this topic pertaining MGtools:

http://forums.majorgeeks.com/showthread.php?t=137630

I am able to open mgtools folder, all files you mention are there, but when trying to open .bat files when i click open, system security auto closes file so I can't see what is in each, appears there is something in each file??

also the zip file is there but will not allow me to paste file to this note. I can pull the file up and view it which apprears to be windows registry editor version 5.0 listing hkeys etc. a very long file, but system will not allow me to paste

Hello.
Please upload the zip file to rapidshare.com for me to see.

downloaded rapid share to my computer but will not run, I have the get unkey text doc, but can't copy/paste nor upload it..?

You don't need to download anything from rapidshare?

Anyways, we have Hijack This on your system now. Open this folder in bold:
C:\MGTools

Inside there, there is a file called "Analyze.exe", which is actually Hijack This.
Open Analyze.exe, does it run?

I can open analyse this, but window closes immed so can't see what it is doing???

You don't need to do a system scan, there's something else I want to do with it.

Will it stay open on the front page with the select of buttons?

I can view the folder icon which has 392 kb in folder but it will not open

clarification on the analyse folder, it appears to be the trend micro, service agreement but window will not stay open for me to select accept??

Okay, lets try this first to null the blocker in the registry.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  [Version]
  Signature=$CHICAGO$
  
  [DefaultInstall]
  AddReg=Del.Settings
  
  [Del.Settings]
  HKLM,Software\Microsoft\Windows NT\CurrentVersion\Windows,AppInit_DLLs,0x00000000
  
  

  
  
• Save this as fixreg.inf, save it to your desktop.
  
• Right click fixreg.inf and select install.
  

Reboot and see if Analyze.exe will work.

notepad will not stay open for me to access

Will Wordpad work instead?

same thing, will not stay open//

Darn. Forgot that then.
Goto Start > Run. In the run box, copy/paste in:

regedt32

Hit enter. Does the registry editor open?

opens for a second and closes?

Hello.

Please download Ice Sword from HERE
[list=1]
[*] Download the zip to your desktop and extract it.
[*] Open the Ice Sword folder and then launch IceSword.exe.
[*] Will IceSword stay open?
plist]

this is what i receive when trying to download
Forbidden
You don't have permission to access /~jfpan/download/IceSword120_en.zip on this server.
-------------------------------------------------------------------------------

Apache/2.0.52 (Red Hat) Server at 202.38.64.10 Port 80

addtionally:I burned a copy of the ice.exe folder from my other computer and downloaded to my infective laptop..I have a file opened called 11abfc listing the hkeys for system 32.. help it may close at any time..thanks

also have opened the win32:110 services, think I see some problems but need your direction? thanks

Ah.
A newer version, randomly named when opened, nice!

We can use this, it won't close on us.

Click the "Registry" button on the bottom left. Now travel to the following key using the + button to go further in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Once you have found the Run key, note down the values names in the right side panel.
I don't need to know what files they are pointing at, just the values names, I'll be able to tell what the malicious ones are.

Now do the same for this key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Note the two different hives (HKLM/HKCU).

Once you have noted down all the run values, post them back here so I can see them.
===

The malware run values for system security is most likely appearing as random numbers that point to:

C:\Documents and settings\USERNAME\Application Data\some more numbers.exe

Let me know if I'm right.

here we go:
local:
(default) no values
103
10753124
90763116
adobe reader speed launch
atipta
avp
cpqset
digstream
eabconfg.cpl
ehtray
hp software update
hp wireless assistant
isus pm startup
isusscheduler
itunes helper
kernelfault check
launch anti spy
lsb watcher
quicktime task
sunjava update scheduler
syntpenh

current user info:
(default) value not set
dfmon.exe
msmsqs
updatemgr

that's it.. let me know..thanks

Hello.
Thanks, now go back into the HKLM\...\Run key again, and delete the following three values:

103
10753124
90763116

You can delete them by highlighting each one, then press the rex X on the toolbar, or right click each and select delete.

Okay any prompts that ask if you are sure.

Once them run values are gone, all the lockdown on tools will be unlocked and things will run normally again, so try running Hijack This.

deleted as instructed but will not allow me to run hijack install/

Hello.
Use IceSword again, and delete the following two values in HKLM\...\Run.

KernelFault Check
Launch Anti-Spy

Then boot to safe mode again, try running it there.

was able to run hijack, and saved logfile to notepad.. next?

Post it back here. Lets get to work removing the rest of the malware.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:48 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\windows\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\windows\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\Online Services\AOL90US\comps\rp\rp9codec.exe restart
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: QuickLink Mobile.lnk = C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\DEFEND~3\DEFEND~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10105 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: Shell=Explorer.exe logon.exe
  O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\Online Services\AOL90US\comps\rp\rp9codec.exe restart
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

file loMalwarebytes' Anti-Malware 1.37
Database version: 2266
Windows 5.1.2600 Service Pack 3

6/12/2009 2:08:04 PM
mbam-log-2009-06-12 (14-08-04).txt

Scan type: Quick Scan
Objects scanned: 102293
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\systemsecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\charles ray\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\charles ray\start menu\Programs\system security\System Security 2009 Support.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\charles ray\start menu\Programs\system security\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\charles ray\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Trojan.Agent) -> Delete on reboot.
g:

thanks for all your help,,, I have contributed to your worthy cause... thanks again

Hello.
Not done yet, one last scan.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-05-14.01) - NTFSx86
Run by charles ray at 14:39:55.43 on Fri 06/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1456 [GMT -4:00]

AV: Defender Pro Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
svchost.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\charles ray\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVP] "c:\program files\defender pro\defender pro internet security 6.0\avp.exe"
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\quickl~1.lnk - c:\program files\alltel\quicklink mobile\QuickLink Mobile.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\defend~1.lnk - c:\program files\defender pro\defender pro firewall\KAVPF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Anti-Banner - c:\program files\defender pro\defender pro internet security 6.0\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\defender pro\defender pro internet security 6.0\scieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\defend~3\defend~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 cf32a;cf32a;c:\windows\system32\drivers\cf32a.sys [2006-8-19 25783]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-2-7 39472]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-26 175376]
R2 AVP;Defender Pro Internet Security;c:\program files\defender pro\defender pro internet security 6.0\avz.exe [2007-8-14 206152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 AVC3310F;AVC-3310/AVC-3610 USB Loader;c:\windows\system32\drivers\avcuwfl2.sys [2005-6-29 17536]
S3 AvcUWil2;Adaptec AVC-3210/3310/3610 USB Device;c:\windows\system32\drivers\avcuwil2.sys [2005-6-29 1434080]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\drivers\memcard.sys [2006-2-21 8320]
S3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [2009-2-25 32256]
S3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [2009-2-25 41344]
S3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [2009-2-25 39936]
S3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [2009-2-25 59776]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-06-12 13:59 --d----- c:\docume~1\charle~1\applic~1\Malwarebytes
2009-06-12 13:59 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 13:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:59 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 13:59 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-12 13:20 --d----- c:\program files\Trend Micro
2009-06-12 07:36 --d----- C:\MGlogs
2009-06-12 06:58 29,563 a------- C:\MGlogs.zip
2009-06-11 21:19 --d----- C:\MGtools
2009-06-11 18:48 3,120 a------- c:\windows\LJRGKDD9.ocx
2009-06-11 12:49 --d----- c:\docume~1\alluse~1\applic~1\90763116
2009-06-11 12:49 --d----- c:\docume~1\alluse~1\applic~1\10753124
2009-06-09 19:59 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-09 19:59 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 19:59 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 19:59 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-05-21 14:58 3,247 a------- c:\windows\system32\wbem\Outlook_01c9da461b1a94a4.mof
2009-05-18 02:04 --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[06AFB7]
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[035799]
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[035798]
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[035797]
2009-05-17 23:38 --d----- c:\documents and settings\charles ray\[035796]
2009-05-17 23:33 --d----- c:\documents and settings\charles ray\fat32.1
2009-05-17 23:31 --d----- c:\documents and settings\charles ray\[FAT32]
2009-05-16 23:12 --d----- c:\program files\MSECache

==================== Find3M ====================

2009-06-12 14:39 20,570,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-12 14:09 276,428 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-12 14:09 259,104 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-12 14:09 24,716 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-12 13:06 6,656 a------- c:\windows\system32\drivers\aec.sys
2009-05-20 13:32 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 13:32 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 01:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-21 07:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2008-11-13 12:10 170 a------- c:\docume~1\charle~1\applic~1\wklnhst.dat
2008-01-31 10:23 3,195,392 a--sh--- c:\program files\ehthumbs.db
2006-11-01 19:31 315,904 a------- c:\windows\inf\unregmp2(2).exe

============= FINISH: 14:40:15.70 ======

Hello.
There is some malicious folders left behind which we need to delete, and some suspicious folders that I can't find anything on.

First, I wanna see what's inside these suspicious folders.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:dir
c:\documents and settings\charles ray\[06AFB7]
c:\documents and settings\charles ray\[035799]
c:\documents and settings\charles ray\[035798]
c:\documents and settings\charles ray\[035797]
c:\documents and settings\charles ray\[035796]
c:\documents and settings\charles ray\fat32.1
c:\documents and settings\charles ray\[FAT32]

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:07 on 12/06/2009 by charles ray (Administrator - Elevation successful)

========== dir ==========

c:\documents and settings\charles ray\[06AFB7] - Parameters: "(none)"

---Files---
_MGO7&3#.CB2 --a--- 15830937 bytes [21:49 02/05/2001] [21:49 02/05/2001]
_MGO7&3$.CB2 --a--- 15969616 bytes [21:49 02/05/2001] [13:46 03/05/2001]
_MGO7&3%.CB2 --a--- 16008447 bytes [21:49 02/05/2001] [13:46 03/05/2001]
_MGO7&3&.CB2 --a--- 15403381 bytes [21:49 02/05/2001] [13:46 03/05/2001]
_MGO7&3'.CB2 --a--- 15606034 bytes [21:49 02/05/2001] [21:49 02/05/2001]
_MGO7&3(.CB2 --a--- 15975475 bytes [21:49 02/05/2001] [21:49 02/05/2001]
_MGO7&3).CB2 --a--- 16133172 bytes [21:50 02/05/2001] [21:50 02/05/2001]
_MGO7&4!.CB2 --a--- 16198705 bytes [21:50 02/05/2001] [21:50 02/05/2001]
_MGO7&4#.CB2 --a--- 16379147 bytes [21:50 02/05/2001] [13:46 03/05/2001]
_MGO7&4$.CB2 --a--- 15617727 bytes [21:50 02/05/2001] [13:46 03/05/2001]
_MGO7&4%.CB2 --a--- 15885018 bytes [21:50 02/05/2001] [21:50 02/05/2001]
_MGO7&4&.CB2 --a--- 14708558 bytes [21:51 02/05/2001] [21:51 02/05/2001]
_MGO7&4'.CB2 --a--- 14304252 bytes [21:51 02/05/2001] [21:51 02/05/2001]
_MGO7&4(.CB2 --a--- 14344899 bytes [21:51 02/05/2001] [21:51 02/05/2001]
_MGO7&4).CB2 --a--- 14672221 bytes [21:51 02/05/2001] [13:46 03/05/2001]
_MGO7&4.CB2 --a--- 13984463 bytes [21:50 02/05/2001] [13:46 03/05/2001]
_MGO7&5!.CB2 --a--- 13881308 bytes [21:51 02/05/2001] [13:46 03/05/2001]
_MGO7&5#.CB2 --a--- 13045130 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5$.CB2 --a--- 13926651 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5%.CB2 --a--- 13741857 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5&.CB2 --a--- 12846204 bytes [21:52 02/05/2001] [21:52 02/05/2001]
_MGO7&5'.CB2 --a--- 14207785 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5(.CB2 --a--- 13952356 bytes [21:52 02/05/2001] [21:52 02/05/2001]
_MGO7&5).CB2 --a--- 14731109 bytes [21:52 02/05/2001] [21:52 02/05/2001]
_MGO7&5.CB2 --a--- 13746243 bytes [21:51 02/05/2001] [13:46 03/05/2001]
_MGO7&6!.CB2 --a--- 15445800 bytes [21:53 02/05/2001] [21:53 02/05/2001]
_MGO7&6#.CB2 --a--- 15706436 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6$.CB2 --a--- 15745052 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6%.CB2 --a--- 15608303 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6&.CB2 --a--- 15533566 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6'.CB2 --a--- 15982718 bytes [21:54 02/05/2001] [01:38 03/05/2001]
_MGO7&6(.CB2 --a--- 15975022 bytes [21:55 02/05/2001] [01:38 03/05/2001]
_MGO7&6).CB2 --a--- 14688741 bytes [21:55 02/05/2001] [21:55 02/05/2001]
_MGO7&6.CB2 --a--- 15887222 bytes [21:53 02/05/2001] [21:53 02/05/2001]
_MGO7&7!.CB2 --a--- 14707554 bytes [21:55 02/05/2001] [01:38 03/05/2001]
_MGO7&7#.CB2 --a--- 14336050 bytes [21:56 02/05/2001] [13:46 03/05/2001]
_MGO7&7$.CB2 --a--- 15855069 bytes [21:56 02/05/2001] [13:46 03/05/2001]
_MGO7&7%.CB2 --a--- 15901498 bytes [21:56 02/05/2001] [01:38 03/05/2001]
_MGO7&7&.CB2 --a--- 17613338 bytes [21:57 02/05/2001] [13:46 03/05/2001]
_MGO7&7'.CB2 --a--- 18211797 bytes [21:57 02/05/2001] [21:57 02/05/2001]
_MGO7&7(.CB2 --a--- 18415781 bytes [21:57 02/05/2001] [01:38 03/05/2001]
_MGO7&7).CB2 --a--- 16330064 bytes [21:57 02/05/2001] [21:57 02/05/2001]
_MGO7&7.CB2 --a--- 15470332 bytes [21:55 02/05/2001] [13:46 03/05/2001]
_MGO7&8!.CB2 --a--- 16770124 bytes [21:59 02/05/2001] [01:38 03/05/2001]
_MGO7&8#.CB2 --a--- 13533710 bytes [21:59 02/05/2001] [01:38 03/05/2001]
_MGO7&8$.CB2 --a--- 14484757 bytes [21:59 02/05/2001] [01:38 03/05/2001]
_MGO7&8%.CB2 --a--- 16436337 bytes [21:59 02/05/2001] [13:46 03/05/2001]
_MGO7&8&.CB2 --a--- 16828291 bytes [20:00 02/05/2001] [13:46 03/05/2001]
_MGO7&8'.CB2 --a--- 15443097 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&8(.CB2 --a--- 15289130 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&8).CB2 --a--- 15098548 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&8.CB2 --a--- 16566336 bytes [21:57 02/05/2001] [21:57 02/05/2001]
_MGO7&9!.CB2 --a--- 16345262 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&9#.CB2 --a--- 17467106 bytes [20:01 02/05/2001] [20:01 02/05/2001]
_MGO7&9$.CB2 --a--- 14150874 bytes [20:01 02/05/2001] [20:01 02/05/2001]
_MGO7&9%.CB2 --a--- 15150644 bytes [20:01 02/05/2001] [20:01 02/05/2001]
_MGO7&9&.CB2 --a--- 16286687 bytes [20:01 02/05/2001] [13:46 03/05/2001]
_MGO7&9'.CB2 --a--- 16739169 bytes [20:03 02/05/2001] [20:03 02/05/2001]
_MGO7&9(.CB2 --a--- 17476366 bytes [20:03 02/05/2001] [01:38 03/05/2001]
_MGO7&9).CB2 --a--- 17540412 bytes [20:03 02/05/2001] [01:38 03/05/2001]
_MGO7&9.CB2 --a--- 14905094 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7'0#.CB2 --a--- 16125844 bytes [20:05 02/05/2001] [20:05 02/05/2001]
_MGO7'0$.CB2 --a--- 14811211 bytes [20:05 02/05/2001] [01:38 03/05/2001]
_MGO7'0%.CB2 --a--- 13708236 bytes [20:05 02/05/2001] [13:46 03/05/2001]
_MGO7'0&.CB2 --a--- 14715152 bytes [20:05 02/05/2001] [13:46 03/05/2001]
_MGO7'0'.CB2 --a--- 14380715 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'0(.CB2 --a--- 14428693 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'0).CB2 --a--- 14009474 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'0.CB2 --a--- 16387288 bytes [20:03 02/05/2001] [20:03 02/05/2001]
_MGO7'1!.CB2 --a--- 13626928 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'1#.CB2 --a--- 13422315 bytes [20:06 02/05/2001] [20:06 02/05/2001]
_MGO7'1&.CB2 --a--- 15048833 bytes [20:08 02/05/2001] [13:46 03/05/2001]
_MGO7'1'.CB2 --a--- 14814089 bytes [20:08 02/05/2001] [20:08 02/05/2001]
_MGO7'1(.CB2 --a--- 14691588 bytes [20:08 02/05/2001] [20:08 02/05/2001]
_MGO7'1).CB2 --a--- 16115611 bytes [20:08 02/05/2001] [20:08 02/05/2001]
_MGO7'1.CB2 --a--- 14222145 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'2!.CB2 --a--- 14379306 bytes [20:09 02/05/2001] [20:09 02/05/2001]
_MGO7'2#.CB2 --a--- 14370657 bytes [20:09 02/05/2001] [20:09 02/05/2001]
_MGO7'2$.CB2 --a--- 17516800 bytes [20:12 02/05/2001] [20:12 02/05/2001]
_MGO7'2%.CB2 --a--- 17690107 bytes [20:12 02/05/2001] [20:12 02/05/2001]
_MGO7'2&.CB2 --a--- 14835749 bytes [20:13 02/05/2001] [20:13 02/05/2001]
_MGO7'2'.CB2 --a--- 13337011 bytes [20:13 02/05/2001] [20:13 02/05/2001]
_MGO7'2(.CB2 --a--- 13586127 bytes [20:14 02/05/2001] [13:46 03/05/2001]
_MGO7'2).CB2 --a--- 13747924 bytes [20:14 02/05/2001] [20:14 02/05/2001]
_MGO7'2.CB2 --a--- 14770224 bytes [20:08 02/05/2001] [13:46 03/05/2001]
_MGO7'3!.CB2 --a--- 15206232 bytes [20:14 02/05/2001] [20:14 02/05/2001]
_MGO7'3#.CB2 --a--- 15863774 bytes [20:15 02/05/2001] [01:39 03/05/2001]
_MGO7'3$.CB2 --a--- 14796171 bytes [20:16 02/05/2001] [13:46 03/05/2001]
_MGO7'3%.CB2 --a--- 13624408 bytes [20:16 02/05/2001] [13:46 03/05/2001]
_MGO7'3&.CB2 --a--- 13297799 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'3'.CB2 --a--- 13248159 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'3(.CB2 --a--- 13699231 bytes [20:16 02/05/2001] [13:46 03/05/2001]
_MGO7'3).CB2 --a--- 13633210 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'3.CB2 --a--- 14110279 bytes [20:14 02/05/2001] [20:14 02/05/2001]
_MGO7'4!.CB2 --a--- 13585486 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4#.CB2 --a--- 14180603 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4$.CB2 --a--- 14254760 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4%.CB2 --a--- 15607165 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4&.CB2 --a--- 15288970 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4'.CB2 --a--- 16328421 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4(.CB2 --a--- 15517278 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4).CB2 --a--- 15239111 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4.CB2 --a--- 13520593 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'5!.CB2 --a--- 14199868 bytes [20:18 02/05/2001] [13:46 03/05/2001]
_MGO7'5#.CB2 --a--- 12775231 bytes [20:18 02/05/2001] [20:18 02/05/2001]
_MGO7'5$.CB2 --a--- 13058826 bytes [20:18 02/05/2001] [20:18 02/05/2001]
_MGO7'5%.CB2 --a--- 14385851 bytes [20:18 02/05/2001] [20:18 02/05/2001]
_MGO7'5&.CB2 --a--- 12837592 bytes [20:18 02/05/2001] [01:39 03/05/2001]
_MGO7'5'.CB2 --a--- 13510099 bytes [20:18 02/05/2001] [01:39 03/05/2001]
_MGO7'5(.CB2 --a--- 13582957 bytes [20:18 02/05/2001] [13:46 03/05/2001]
_MGO7'5).CB2 --a--- 12299875 bytes [20:19 02/05/2001] [13:46 03/05/2001]
_MGO7'5.CB2 --a--- 14312904 bytes [20:17 02/05/2001] [01:39 03/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\[035799] - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\charles ray\[035798] - Parameters: "(none)"

---Files---
R@3&1 --a--- 0 bytes [13:14 13/05/2001] [13:14 13/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\[035797] - Parameters: "(none)"

---Files---
_BECTO~! --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\[035796] - Parameters: "(none)"

---Files---
DE1!.CB2 --a--- 12355752 bytes [20:20 02/05/2001] [20:20 02/05/2001]
DE1.CB2 --a--- 12412261 bytes [20:08 02/05/2001] [20:08 02/05/2001]
DE2.CB2 --a--- 13500843 bytes [13:32 01/05/2001] [13:32 01/05/2001]
DE3.CB2 --a--- 14936331 bytes [13:33 01/05/2001] [13:33 01/05/2001]
DE4.CB2 --a--- 12542836 bytes [13:31 01/05/2001] [13:31 01/05/2001]
DE5.CB2 --a--- 12061201 bytes [00:07 02/05/2001] [00:07 02/05/2001]
DE6.CB2 --a--- 12108043 bytes [00:28 02/05/2001] [00:28 02/05/2001]
DE7.CB2 --a--- 12378698 bytes [17:28 02/05/2001] [17:28 02/05/2001]
DE8.CB2 --a--- 16852079 bytes [20:03 02/05/2001] [20:03 02/05/2001]
DE9.CB2 --a--- 11380290 bytes [20:07 02/05/2001] [20:07 02/05/2001]
DESKTOP.INI --a--- 65 bytes [20:28 01/05/2001] [20:28 01/05/2001]
INFO2 --a--- 9620 bytes [20:28 01/05/2001] [01:33 03/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\fat32.1 - Parameters: "(none)"

---Files---
DCIM --a--- 0 bytes [17:41 07/04/2001] [17:41 07/04/2001]
RECICLED --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]
SISDEM~! --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]

---Folders---
[035796] d----- [03:33 18/05/2009]

c:\documents and settings\charles ray\[FAT32] - Parameters: "(none)"

---Files---
DCIM --a--- 0 bytes [17:41 07/04/2001] [17:41 07/04/2001]
RECICLED --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]
SISDEM~! --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]

---Folders---
[035796] d----- [03:31 18/05/2009]

-=End Of File=-

Okay, we'll leave them alone for now.

Lets get rid of them malicious folders now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
c:\docume~1\alluse~1\applic~1\90763116
c:\docume~1\alluse~1\applic~1\10753124
C:\MGlogs
C:\MGtools

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\docume~1\alluse~1\applic~1\90763116" deleted successfully.
Folder "c:\docume~1\alluse~1\applic~1\10753124" deleted successfully.
Folder "C:\MGlogs" deleted successfully.
Folder "C:\MGtools" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Okay, that should do it now.

How is the machine running now?

my anti spy software detected the following files, upon reboot, can you explain what these are? at present they were neutralized. thanks

1. detected: riskware Trojan.generic Running process: C:\Documents and Settings\charles ray\Local Settings\Temp\SVGInstallTemp.0000\Winstall.exe
2. detected: Trojan program Trojan-Downloader.JS.LuckySploit.o URL: http://bolelshiko.com/bb/?t=3//bolelshiko
3. not found: Trojan program Trojan.Win32.Zapchast.uy File: C:\cleanup.exe
4.detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\DQRO7PRB\eu261en[1].exe
5. detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\CTEJODA3\dpp361en[1].exe
6. detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\K3EBULET\rc150upd_7l[1].exe
7. detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\WD2BW5M3\zb631upd_en[1].exe
8.detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\I3WFULKN\pse150en[1].exe

Aside from this file:

C:\cleanup.exe

Which is a false positive, it's part of the avenger. The rest are temp files. You can delete the cleanup.exe in C: drive now.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

all clear. again, many thanks...you guys are GREAT!!!!