Desktoplayer.exe Ramnit.A virus on Win7 x64 machine

Discussion in 'Malware Help (A Specialist Will Reply)' started by Convectuoso, Oct 25, 2010.

  1. Convectuoso

    Convectuoso Private E-2

    Hi everyone, I just wanted anyone's thoughts on this before I give up and reformat my machine to get rid of the Ramnit.A malware.

    I noticed I had issues on Friday when I could not get firefox or chrome to launch. I ran Super Anti Spyware and Malwarebytes' Anti-Malware but neither could remove all of the flagged files. Unfortunately I was going away for the weekend so I left it till this morning to 'resolve' an have spent most of the day running assorted malware removal tools and although the browsers are now working, the desktoplayer.exe file and others are still being found.

    I've attached my latest log from MBAM and also my MGlogs zip file. From trawling the threads on this forum I'm now running my first ESET scan of which I'll post the log before continuing with back to back scans & logs. It's currently on 70% with over 8000 infected files!

    I'm not too precious about avoiding the reformat as I have all of my data on a QNAP NAS driver which appears to be uninfected however if I can at all avoid having to reinstall all my software and preferences etc it will save me a lot of time.

    Thanks in advance for any help
     

    Attached Files:

    Convectuoso, Oct 25, 2010
    #1
  2. Convectuoso

    Convectuoso Private E-2

    Ok, so the first ESET scan completed and found 30960 infected files!!

    I've attached the log file and will set the scanner off for a second time

    Thanks again guys
     

    Attached Files:

    Convectuoso, Oct 25, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Wait a minute.... I have a fix first.
     
    Kestrel13!, Oct 25, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Java(TM) 6 Update 20 <--- Uninstall this outdated java. Remember to install the most current version of java, but not yet...

    WinSCP 4.2.8 <--- uninstall this too if you did not deliberately install it yourself.

    Tell me the contents of these folders:

    • C:\Users\Stephen\AppData\Local\{D0EA012E-46BD-4AFE-8D5C-4A91D260C6F0}
    • C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}

    If you did not purposely set this proxy yourself then please include it in the HJT fix below:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :services
RelevantKnowledge

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{52BC02AB-7B86-82F6-4C00-3F0AA76F4E46}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="GO36F4~1.DLL"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B54EA511-894A-4FBD-8284-945603EB7D90}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B54EA511-894A-4FBD-8284-945603EB7D90}]

:files
C:\Windows\system32\turigop.dll 
C:\Windows\system32\lutolaz.dll  
C:\Windows\system32\wipaleg.dll
C:\Windows\system32\bapazip.dll
C:\Windows\winstart.bat
C:\Windows\system32\ydopweSrvSrvSrvSrvSrv.exe
C:\Windows\system32\ydopweSrvSrvSrvSrv.exe
C:\Windows\system32\ydopweSrvSrvSrv.exe
C:\Users\Stephen\AppData\Roaming\Ureru\irbuz.exe
C:\Users\Stephen\AppData\Roaming\Ureru
C:\Windows\system32\asec.exe 
C:\Windows\system32\awaza.exe 
C:\Windows\system32\biyvf.exe 
C:\Windows\system32\bogae.exe 
C:\Windows\system32\dufu.exe 
C:\Windows\system32\esbyyd.exe 
C:\Windows\system32\ewaxt.exe 
C:\Windows\system32\ewquus.exe 
C:\Windows\system32\giyg.exe 
C:\Windows\system32\hagoq.exe 
C:\Windows\system32\inxuid.exe 
C:\Windows\system32\ivbya.exe 
C:\Windows\system32\ixdyq.exe 
C:\Windows\system32\koakx.exe 
C:\Windows\system32\liolm.exe 
C:\Windows\system32\myleah.exe 
C:\Windows\system32\nanuqy.exe 
C:\Windows\system32\niek.exe 
C:\Windows\system32\niudi.exe 
C:\Windows\system32\nulour.exe 
C:\Windows\system32\oczifa.exe 
C:\Windows\system32\odre.exe 
C:\Windows\system32\olakyt.exe 
C:\Windows\system32\olyh.exe 
C:\Windows\system32\oplo.exe 
C:\Windows\system32\oxcawe.exe 
C:\Windows\system32\piewip.exe 
C:\Windows\system32\pihe.exe 
C:\Windows\system32\pofady.exe 
C:\Windows\system32\puopar.exe 
C:\Windows\system32\puyn.exe 
C:\Windows\system32\pyulk.exe 
C:\Windows\system32\qowe.exe 
C:\Windows\system32\ragyki.exe 
C:\Windows\system32\reef.exe 
C:\Windows\system32\riugav.exe 
C:\Windows\system32\sehee.exe 
C:\Windows\system32\teso.exe 
C:\Windows\system32\tygy.exe 
C:\Windows\system32\ublabu.exe 
C:\Windows\system32\unub.exe 
C:\Windows\system32\utle.exe 
C:\Windows\system32\uzcuc.exe 
C:\Windows\system32\wamyac.exe 
C:\Windows\system32\xavio.exe
C:\Windows\system32\xiviqa.exe 
C:\Windows\system32\yvnour.exe 
C:\Windows\system32\yxpyad.exe 
C:\Windows\system32\zoomu.exe 
C:\Windows\system32\zyrahu.exe 
C:\Program Files (x86)\RelevantKnowledge
C:\Users\Stephen\AppData\Local\bxpsvrekv
C:\Users\Stephen\AppData\Local\Egiduwowohonevo.dat
C:\Users\Stephen\AppData\Local\fxysvjebt
C:\Users\Stephen\AppData\Local\Mleyebosuyega.bin
C:\Windows\SysWOW64\wayamas.dll
C:\Windows\system32\wayamas.dll
C:\Users\Stephen\Start Menu\Programs\Startup\ydopweSrvSrvSrv.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ydopweSrvSrvSrvSrv.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ydopweSrvSrvSrvSrvSrv.exe
C:\Program Files (x86)\Internet Explorer\iexploreSrv.exe
C:\Users\Stephen\Local Settings\TEMP\svchostSrv.exe

:Commands
[emptytemp]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Please go to virustotal and upload the following files for analysis, and let me know the results.

    • C:\ProgramData\{3511382535}2010.10.21.21.25.11.sdl
    • C:\ProgramData\{3511382535}2010.10.24.23.11.57.sdl
    • C:\ProgramData\{968218125}2010.10.21.21.9.14.sdl
    • C:\ProgramData\{968218125}2010.10.24.22.31.57.sdl
    • C:\Windows\system32\xactenginie3_0.dll

    What are you currently using for anti virus???

    Now run three more ESET scans, consecutively, without any reboots in between and attach the logs for me to see.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    (Remember to tell me about those folders I asked about too)
     
    Kestrel13!, Oct 25, 2010
    #4
  5. Convectuoso

    Convectuoso Private E-2

    Hi Ketsrel13,

    Thanks so much for your response and the time you've taken to look at this for me it's really appreciated. Unfortunately I went to bed after initialising the second ESET scan (of which i've attached the log) and so didn't see your post till this morning (here in the UK). I've worked through your instructions though as follows, it's just taken a while for all the scans to complete!


    uninstalled java
    uninstalled winscp & was prompted to restart which i declined

    Contents of C:\Users\Stephen\AppData\Local\{D0EA012E-46BD-4AFE-8D5C-4A91D260C6F0}

    File folder named "chrome"
    MANIFEST FILE named "chrome.manifest"
    RDF file named "install.rdf"

    inside the file folder named "chrome" is another file folder named "content" and inside that is
    JScript Script file names "_cfg.js
    XUL file named "overlay.xul"

    Contents of C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}

    this is a hidden file and contains nothing.

    I ran HJT but these items below were not included in the scan as I assume my second ESET scan already removed them?:

    O4 - .DEFAULT User Startup: asec.exe (User 'Default user')
    O4 - .DEFAULT User Startup: awaza.exe (User 'Default user')
    O4 - .DEFAULT User Startup: biyvf.exe (User 'Default user')
    O4 - .DEFAULT User Startup: dufu.exe (User 'Default user')
    O4 - .DEFAULT User Startup: hagoq.exe (User 'Default user')
    O4 - .DEFAULT User Startup: inxuid.exe (User 'Default user')
    O4 - .DEFAULT User Startup: ivbya.exe (User 'Default user')
    O4 - .DEFAULT User Startup: koakx.exe (User 'Default user')
    O4 - .DEFAULT User Startup: liolm.exe (User 'Default user')
    O4 - .DEFAULT User Startup: nanuqy.exe (User 'Default user')
    O4 - .DEFAULT User Startup: olakyt.exe (User 'Default user')
    O4 - .DEFAULT User Startup: olyh.exe (User 'Default user')
    O4 - .DEFAULT User Startup: pihe.exe (User 'Default user')
    O4 - .DEFAULT User Startup: pofady.exe (User 'Default user')
    O4 - .DEFAULT User Startup: puopar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: puyn.exe (User 'Default user')
    O4 - .DEFAULT User Startup: reef.exe (User 'Default user')
    O4 - .DEFAULT User Startup: sehee.exe (User 'Default user')
    O4 - .DEFAULT User Startup: ublabu.exe (User 'Default user')
    O4 - .DEFAULT User Startup: unub.exe (User 'Default user')
    O4 - .DEFAULT User Startup: xavio.exe (User 'Default user')
    O4 - Startup: ydopweSrvSrvSrv.exe
    O4 - Startup: ydopweSrvSrvSrvSrv.exe
    O4 - Startup: ydopweSrvSrvSrvSrvSrv.exe

    Ran OTM which shut down my browser but completed ok and asked for a reboot.

    I went to virustotal and browsed to upload the files you requested but only the ones ending in

    .57 were the same the other two now read as:

    # C:\ProgramData\{3511382535}2010.10.26.2.22.48.sdl

    # C:\ProgramData\{968218125}2010.10.26.9.34.27.sdl

    the results were as follows:

    {968218125}2010.10.24.22.31.57

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This

    is same basic info regarding the sample itself and its last analysis:

    MD5: 6b0fe64629117bcb28c34f28c8b05a5a
    Date first seen: 2010-10-21 22:16:16 (UTC)
    Date last seen: 2010-10-21 22:16:16 (UTC)
    Detection ratio: 1/42

    i clicked on "view last report" to create the pdf printout.


    {968218125}2010.10.26.9.34.27

    pdf printout created


    {3511382535}2010.10.24.23.11.57

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This

    is same basic info regarding the sample itself and its last analysis:

    MD5: 6b0fe64629117bcb28c34f28c8b05a5a
    Date first seen: 2010-10-21 22:16:16 (UTC)
    Date last seen: 2010-10-21 22:16:16 (UTC)
    Detection ratio: 1/42

    i clicked on "view last report" to create the pdf printout.



    {3511382535}2010.10.26.2.22.48

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This

    is same basic info regarding the sample itself and its last analysis:

    MD5: 67cc11cb52cf32a874a502228cc10914
    Date first seen: 2010-10-26 08:50:59 (UTC)
    Date last seen: 2010-10-26 08:50:59 (UTC)
    Detection ratio: 1/42

    i clicked on "view last report" to create the pdf printout.


    xactengine3_0.dll

    File already submitted: The file sent has already been analysed by VirusTotal in the past. This

    is same basic info regarding the sample itself and its last analysis:

    MD5: 8a83673f0ab001870583fde2b004fa59
    Date first seen: 2009-04-29 14:41:41 (UTC)
    Date last seen: 2010-09-14 17:57:22 (UTC)
    Detection ratio: 0/43

    I clicked on "view last report" to create the pdf printout.



    I've run the ESET online scan twice now since these instructions and it's running a third time but thought I'd post my results so far as I'm not sure it's getting any better! The second time after the instructions (giving the ESETlog3.log in the attachments) ran for 7 hours but froze up so I stopped it and proceeded

    Thanks again for the help
     

    Attached Files:

    Convectuoso, Oct 26, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

    Rename all these files to include a .old extension. Let a few days go by and then delete them I think.
    • C:\ProgramData\{3511382535}2010.10.24.23.11.57.sdl
    • C:\ProgramData\{3511382535}2010.10.26.2.22.48.sdl
    • C:\ProgramData\{968218125}2010.10.24.22.31.57.sdl
    • C:\ProgramData\{968218125}2010.10.26.9.34.27.sdl

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files (x86)\microsoft\desktoplayer.exe,c:\program files\asus\six engine\sixenginesrv.exe
    • O4 - HKLM\..\Run: [gayanoz] Rundll32.exe "C:\Windows\SysWOW64\wayamas.dll" s
    • O4 - .DEFAULT User Startup: bogae.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: esbyyd.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: ewaxt.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: ewquus.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: giyg.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: ixdyq.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: myleah.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: niek.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: niudi.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: nulour.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: oczifa.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: odre.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: oplo.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: oxcawe.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: piewip.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: pyulk.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: qowe.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: ragyki.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: riugav.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: teso.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: tygy.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: utle.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: uzcuc.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: wamyac.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: xiviqa.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: yvnour.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: yxpyad.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: zoomu.exe (User 'Default user')
    • O4 - .DEFAULT User Startup: zyrahu.exe (User 'Default user')
    After clicking Fix exit HJT.


    Code:
    :reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 

:files
C:\Users\Stephen\AppData\Local\{D0EA012E-46BD-4AFE-8D5C-4A91D260C6F0}
C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}
C:\Users\Stephen\AppData\Roaming\winscp.rnd
C:\Program Files (x86)\sys23
C:\Program Files (x86)\system
C:\Program Files (x86)\temp
C:\Program Files (x86)\tmp
C:\Windows\TEMP\ib48D2.tmp
C:\Windows\TEMP\ib48D3.tmp
C:\Windows\TEMP\ib48D4.tmp
C:\Windows\TEMP\ib48F4.tmp
C:\Windows\TEMP\ib49A0.tmp
C:\Users\Stephen\Local Settings\TEMP\exp212A.tmp
C:\Users\Stephen\Local Settings\TEMP\exp2244.tmp
C:\Users\Stephen\Local Settings\TEMP\exp23A5.tmp
C:\Users\Stephen\Local Settings\TEMP\exp7D8C.tmp
C:\Users\Stephen\Local Settings\TEMP\exp7EA6.tmp
C:\Users\Stephen\Local Settings\TEMP\exp8026.tmp
C:\Users\Stephen\Local Settings\TEMP\expAF47.tmp
C:\Users\Stephen\Local Settings\TEMP\expB035.tmp
C:\Users\Stephen\Local Settings\TEMP\expB0E8.tmp
C:\Users\Stephen\Local Settings\TEMP\flaA95E.tmp
C:\Users\Stephen\Local Settings\TEMP\NODD40F.tmp
C:\Users\Stephen\Local Settings\TEMP\temp0.jar
C:\Users\Stephen\Local Settings\TEMP\temp1.jar
C:\Users\Stephen\Local Settings\TEMP\temp2.jar
C:\Windows\system32\bapazip.dll
C:\Windows\SysWOW64\wayamas.dll
c:\program files (x86)\microsoft\desktoplayer.exe
C:\Windows\system32\bogae.exe 
C:\Windows\system32\esbyyd.exe 
C:\Windows\system32\ewaxt.exe 
C:\Windows\system32\ewquus.exe 
C:\Windows\system32\giyg.exe 
C:\Windows\system32\ixdyq.exe 
C:\Windows\system32\myleah.exe 
C:\Windows\system32\niek.exe 
C:\Windows\system32\niudi.exe 
C:\Windows\system32\nulour.exe 
C:\Windows\system32\oczifa.exe 
C:\Windows\system32\odre.exe 
C:\Windows\system32\oplo.exe 
C:\Windows\system32\oxcawe.exe 
C:\Windows\system32\piewip.exe 
C:\Windows\system32\pyulk.exe 
C:\Windows\system32\qowe.exe 
C:\Windows\system32\ragyki.exe 
C:\Windows\system32\riugav.exe 
C:\Windows\system32\teso.exe 
C:\Windows\system32\tygy.exe 
C:\Windows\system32\utle.exe 
C:\Windows\system32\uzcuc.exe 
C:\Windows\system32\wamyac.exe 
C:\Windows\system32\xiviqa.exe 
C:\Windows\system32\yvnour.exe
C:\Windows\system32\yxpyad.exe 
C:\Windows\system32\zoomu.exe 
C:\Windows\system32\zyrahu.exe 
C:\Windows\system32\wayamas.dll

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Now download LSP - Fix

    Run LSP-Fix.
    • Check the Box labeled "I know what I'm doing" and then click on the xactenginie3_0.dll file (in the “Keep” section) to select it.
    • Then, Select the >> button to move xactenginie3_0.dll into the Remove section.
    • Now, click the Finish Button. When the Repair Summary box appears, click OK.
    • If it is already in the Remove section, just click Finish.

    Run three more ESET scans, one after the other with no rebooting in between. Attach logs from those.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 27, 2010
    #6
  7. Convectuoso

    Convectuoso Private E-2

    Hi Kestrel13

    I've attched the requested logs, sorry it's taken a while to respond but the ESET scans took ages

    Thanks again for all of the help
     

    Attached Files:

    Convectuoso, Oct 30, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It sucks I know, but to try and get rid of this infection we need to not lose heart, and keep at it despite how long it takes.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.



    Code:
    :reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{52BC02AB-7B86-82F6-4C00-3F0AA76F4E46}"="
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 

:files
C:\Windows\SysWOW64\wayamas.dll
C:\Windows\system32\bapazip.dll
c:\program files (x86)\microsoft\desktoplayer.exe
C:\Users\Stephen\AppData\Roaming\Raura\ikkoa.exe
C:\Users\Stephen\AppData\Roaming\avdrn.dat
C:\Users\Stephen\AppData\Roaming\oygrfv.dat
C:\Users\Stephen\Start Menu\Programs\Startup\Antimalware Doctor.lnk
C:\Users\Stephen\Start Menu\Programs\Startup\desktop.ini
C:\Users\Stephen\Start Menu\Programs\Startup\icarwo.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ixopo.exe
C:\Users\Stephen\Start Menu\Programs\Startup\monfnh32.exe
C:\Users\Stephen\Start Menu\Programs\Startup\reidqe.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ryilmo.exe
C:\Users\Stephen\Start Menu\Programs\Startup\xeehf.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ybfi.exe
C:\Program Files (x86)\tmp
C:\Program Files (x86)\win
C:\Program Files (x86)\windows
C:\Users\Stephen\AppData\Roaming\Raura
C:\Windows\system32\pugohaw.dll
C:\Users\Stephen\Start Menu\Programs\Startup\ahax.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\bogae.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\esbyyd.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\ewaxt.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\ewquus.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\giyg.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\ixdyq.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\myleah.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\niek.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\niudi.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\nulour.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\oczifa.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\odre.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\oplo.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\opotde.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\oxcawe.exe
C:\Users\Stephen\Start Menu\Programs\Startup\piewip.exe
C:\Users\Stephen\Start Menu\Programs\Startup\pyulk.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\qeos.exe
C:\Users\Stephen\Start Menu\Programs\Startup\qowe.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\ragyki.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\riugav.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\teso.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\tygy.exe
C:\Users\Stephen\Start Menu\Programs\Startup\utle.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\uzcuc.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\wamyac.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\waytl.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\xiviqa.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\yvnour.exe 
C:\Users\Stephen\Start Menu\Programs\Startup\yxpyad.exe
C:\Users\Stephen\Start Menu\Programs\Startup\zoomu.exe
C:\Users\Stephen\Start Menu\Programs\Startup\zyrahu.exe
C:\Users\Stephen\Start Menu\Programs\Startup\icarwo.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ixopo.exe
C:\Users\Stephen\Start Menu\Programs\Startup\monfnh32.exe
C:\Users\Stephen\Start Menu\Programs\Startup\reidqe.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ryilmo.exe
C:\Users\Stephen\Start Menu\Programs\Startup\xeehf.exe
C:\Users\Stephen\Start Menu\Programs\Startup\ybfi.exe
C:\Users\Stephen\AppData\Roaming\40B8D9DA0A3B237CE2F97AB98466ED5F

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Keep going with the ESET scans! Three more and attach the logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Nov 1, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds