PDA

View Full Version : Data Doctor 2010 virus/trojan/malware serious problem


mytone1
2010-01-09, 05:03
Hello,

I have a pretty nasty trojan/virus/malware problem. I think this is a relatively new piece of malware, being that I cant find much data on it.


I'm getting 2 alternating fake windows protection notices in the system tray with a red x inside a shield. They are as follows:

1. Windows detected that some of your documents & media files are corrupted. Cleick here to download & install recommended file repair software.

2. Some registry keys are invalid, system can run with errors & poor performance.

Firefox and internet explorer wont run although I can get on firefox through a link on the hijack this Main Menu page that says

"Open online Hijack this Quick Start"

Malwarebytes gets stuck on an endless scan of mbam.exe . Cant open Outlook. I tried scanning with kapersky, eset, these found nothing. Did a scan with

A-squared Free

found this:

C:\Documents and Settings\Owner.GATEWAY\Local Settings\Temp\ddsetup.exe detected: Riskware.FraudTool.Win32.Agent!IK
C:\Documents and Settings\Owner.GATEWAY\Local Settings\Temporary Internet Files\Content.IE5\3PNCG2SF\dd.2010.setup[1].exe detected: Riskware.FraudTool.Win32.Agent!IK



Attached is the DDS log. Thanks in advance for your help.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 22:43:34.31 on Thu 01/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1140 [GMT -5:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe
C:\WINDOWS\system32\lxducoms.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner.GATEWAY\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gotomypc.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
mRun: [EzPrint] "c:\program files\lexmark 5600-6600 series\ezprint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\harmon~1.lnk - c:\program files\logitech\harmony remote\EasyZapperMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\windows\system32\tandl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.gat\applic~1\mozilla\firefox\profiles\8io3g23c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://health.msn.com/
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npxsciter.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-5-18 10368]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-12 1858144]
R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2007-5-18 182272]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-4-9 731840]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-29 47640]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-11-10 98984]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-1-30 9728]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-01-07 15:45:34 0 d-sha-w- c:\windows\Repair
2010-01-05 16:48:41 696832 ----a-w- c:\windows\isRS-000.tmp
2010-01-05 03:31:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 03:31:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 03:31:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 03:20:57 0 d-----w- C:\Temp
2010-01-04 03:02:29 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-01-04 03:02:25 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-01-04 03:02:20 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-01-04 03:02:15 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-01-04 03:02:10 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-01-04 03:00:55 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2010-01-04 02:59:56 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-01-04 02:59:55 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2010-01-04 02:59:54 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2010-01-04 02:59:49 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2010-01-04 02:59:44 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-01-04 02:59:39 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2010-01-04 02:59:36 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2010-01-04 02:59:29 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2010-01-04 02:59:23 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2010-01-04 02:59:18 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2010-01-04 02:59:13 7556 -c--a-w- c:\windows\system32\dllcache\usroslba.sys
2010-01-04 02:59:08 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2010-01-04 02:59:03 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
2010-01-04 02:57:57 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-01-04 02:56:59 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2010-01-04 02:55:57 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-01-04 02:54:55 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-01-04 02:53:59 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2010-01-04 02:52:59 73832 -c--a-w- c:\windows\system32\dllcache\slcoinst.dll
2010-01-04 02:51:57 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2010-01-04 02:50:57 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-01-04 02:49:57 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
2010-01-04 02:48:57 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-01-04 02:47:59 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-01-04 02:46:56 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2010-01-04 02:45:55 54528 -c--a-w- c:\windows\system32\dllcache\OLDBA8.tmp
2010-01-04 02:44:58 126080 -c--a-w- c:\windows\system32\dllcache\OLDB6F.tmp
2010-01-04 02:43:58 128000 -c--a-w- c:\windows\system32\dllcache\OLDB1E.tmp
2010-01-04 02:42:55 2944 -c--a-w- c:\windows\system32\dllcache\OLDADC.tmp
2010-01-04 02:42:50 40960 -c--a-w- c:\windows\system32\dllcache\OLDAD8.tmp
2010-01-04 02:42:49 22016 -c--a-w- c:\windows\system32\dllcache\OLDAD5.tmp
2010-01-04 02:42:47 98304 -c--a-w- c:\windows\system32\dllcache\OLDACE.tmp
2010-01-04 02:42:47 1875968 -c--a-w- c:\windows\system32\dllcache\OLDAD1.tmp
2010-01-04 02:42:39 35200 -c--a-w- c:\windows\system32\dllcache\OLDACB.tmp
2010-01-04 02:42:34 6016 -c--a-w- c:\windows\system32\dllcache\OLDAC7.tmp
2010-01-04 02:42:19 15360 -c--a-w- c:\windows\system32\dllcache\OLDAC3.tmp
2010-01-04 02:42:15 16128 -c--a-w- c:\windows\system32\dllcache\OLDABF.tmp
2010-01-04 02:42:06 6528 -c--a-w- c:\windows\system32\dllcache\OLDA98.tmp
2010-01-04 02:42:01 7680 -c--a-w- c:\windows\system32\dllcache\OLDA94.tmp
2010-01-04 02:40:59 802683 -c--a-w- c:\windows\system32\dllcache\OLDA43.tmp
2010-01-04 02:39:59 242176 -c--a-w- c:\windows\system32\dllcache\OLD9EF.tmp
2010-01-04 02:38:59 152576 -c--a-w- c:\windows\system32\dllcache\OLD944.tmp
2010-01-04 02:37:58 79872 -c--a-w- c:\windows\system32\dllcache\OLD8CC.tmp
2010-01-04 02:36:56 353184 -c--a-w- c:\windows\system32\dllcache\OLD873.tmp
2010-01-04 02:35:58 289887 -c--a-w- c:\windows\system32\dllcache\OLD825.tmp
2010-01-04 02:34:58 39936 -c--a-w- c:\windows\system32\dllcache\OLD7D9.tmp
2010-01-04 02:33:59 72192 -c--a-w- c:\windows\system32\dllcache\OLD75A.tmp
2010-01-04 02:32:59 92160 -c--a-w- c:\windows\system32\dllcache\OLD6D4.tmp
2010-01-04 02:31:59 144896 -c--a-w- c:\windows\system32\dllcache\OLD673.tmp
2010-01-04 02:30:57 28062 -c--a-w- c:\windows\system32\dllcache\OLD606.tmp
2010-01-04 02:29:58 131156 -c--a-w- c:\windows\system32\dllcache\OLD59A.tmp
2010-01-04 02:28:58 72832 -c--a-w- c:\windows\system32\dllcache\OLD51C.tmp
2010-01-04 02:27:59 1677824 -c--a-w- c:\windows\system32\dllcache\OLD499.tmp
2010-01-04 02:26:59 66082 -c--a-w- c:\windows\system32\dllcache\OLD3AB.tmp
2010-01-04 02:25:59 144384 -c--a-w- c:\windows\system32\dllcache\OLD2D4.tmp
2010-01-04 02:24:58 29455 -c--a-w- c:\windows\system32\dllcache\OLD21D.tmp
2010-01-04 02:23:59 584448 -c--a-w- c:\windows\system32\dllcache\OLD177.tmp
2010-01-04 02:22:55 76800 -c--a-w- c:\windows\system32\dllcache\OLD10B.tmp
2009-12-29 06:09:06 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-12-29 06:09:06 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-01-03 11:47:05 102400 ----a-w- c:\windows\system32\tandl.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

============= FINISH: 22:44:28.46 ===============
Blade81
2010-01-09, 13:12
Hi,

Please post attach.txt part of DDS too. Try Sunbelt 2010 Data Decryption Tool (http://www.sunbeltsecurity.com/DownLoads.aspx) on those "corrupted" (actually encrypted) files. Follow the instructions given behind the link.
mytone1
2010-01-10, 03:04
Hi,

Please post attach.txt part of DDS too. Try Sunbelt 2010 Data Decryption Tool (http://www.sunbeltsecurity.com/DownLoads.aspx) on those "corrupted" (actually encrypted) files. Follow the instructions given behind the link.

Here is the Attach file . Im not exactly sure what do do with this sunbelt link but im going to investigate.

Thanks so much for your help.

One thing Im not clear on. Data doctor is not installed on my computer. I managed to find the ddsetup.exe and delete it. So the program never actually installed. But whatever the vehicle is that installed the malware it is still active on my computer. Thats why i get the windows file protection messages and my IE and firefox and email and other programs are not working. Will the sunbelt link still help me?
mytone1
2010-01-10, 03:39
I read the detail on the sunbelt decryption tool. I have not come across any encrypted files.

I believe whatever I have replaced alot of the files in my c:\WINDOWS\system32\dllcache folder. There are many entries like the one's in the attached file(its a .jpg file). I found these files by running youruninstaller and searching for temp files. There are 449 of these files, I took a picture of just a few of them. I deleted all the temp files and they are now in my recycled bin. The date and time of these files correspond to when i first encountered this virus/trojan.
Blade81
2010-01-10, 12:37
Hi,

As I told earlier, the infection encrypts files and then shows messages about corrupted files to convince user to believe suggested repair software is needed to correct the issue. That's pure scam.

Start MBAM, update its definitions on update tab. Run a quick scan (let it delete found items) and post back the report it creates.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Blade81
2010-01-17, 14:12
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.