185 replies to this topic

[rsre15]

Incident Status Location Virus:Trj/Agent.CZZ Disinfected Operating system Virus:trj/abwiz.a Disinfected Operating system Adware:adware/adsmart Not disinfected c:\windows\system32\vx.tll Adware:adware/webattaker Not disinfected c:\windows\uniq Spyware:spyware/media-motor Not disinfected Windows Registry Adware:adware/toolbarsimbar Not disinfected Windows Registry Virus:Trj/Agent.CZZ Disinfected C:\!KillBox\agysteo.exe Virus:Trj/Ruins.DA Disinfected C:\!KillBox\dmnqr.exe Possible Virus. Not disinfected C:\Documents and Settings\Rick\Desktop\SmitfraudFix\swsc.exe Possible Virus. Not disinfected C:\Documents and Settings\Rick\Local Settings\Temp\stdrun4.exe Virus:Trj/Agent.CZZ Disinfected C:\Program Files\Analog Devices\Core\smax4pnp.exe Virus:Trj/Agent.CZZ Disinfected C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe Virus:Trj/Agent.CZZ Disinfected C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe Virus:Trj/Agent.CZZ Disinfected C:\Program Files\McAfee.com\VSO\mcvsshld.exe Virus:Trj/Agent.CZZ Disinfected C:\Program Files\McAfee.com\VSO\oasclnt.exe

[beynac]

I'm afraid that you have picked up a file-infector trojan. This is why McAfee Security Center disappeared - the file is infected. Unfortunately, this is very new (Kaspersky only added it to their database on Sunday). This is why Dr.Web CureIT! couldn't 'cure' the files and probably why Panda hasn't picked them all up.

I suggest that you disconnect this computer from the internet, to prevent the infection pulling in more nasties. Until we get it fixed, it unlikely that your McAfee programs are working. If you have another computer, I suggest that you use this to post and download any tools and only connect the infected one if I ask you to run an online scan. If you don't have another computer, please only connect this one for the minmum time necessary. Only reboot the computer if absolutely necessary.

I would like you to download and run a tool that has been developed to fight a very similar infection. Download it to your desktop from: http://noahdfear.gee...com/FindAWF.exe, double-click to run the program and post the log here (awf.txt). Please also post a new HijackThis log.

I will let you know more once I have had a chance to do some research on this trojan.

[rsre15]

I am unable to run the program. I downloaded it to the desktop, however when I try to run it I get a message saying "McAfee ActiveShield has found a suspect file on your computer, Mcafee strongly recommends that you scan your computer now." Of course when I press ok nothing happens because the Mcafee is no longer installed.

[beynac]

Try running it in Safe Mode.

Important: Make sure that you are not connected to the internet while in Safe Mode.

Boot to Safe Mode. To do this:

• Restart your computer.
• Continually tap the F8 button as your computer is booting a menu appears.
• Use up-arrow key to select Safe Mode and press Enter.

Now double-click on FindAWF.exe.

If this works, please post the report (awf.txt). Otherwise let me know. Don't worry about the HijackThis log at the moment.

Good luck!

[rsre15]

Didn't work in safe mode either! I am beginning to think that I am SOL! A new computer might be in the works for Christmas. Wanted to let you know that every time I tried to search for something in safe mode or click start, run- the computer would totally freeze up.

[beynac]

I've asked for advice on this. It looks as if it's infecting your system files now.

In the meantime, there's one thing I'd like you to try:

In normal mode...
Copy the link location: http://noahdfear.gee...com/FindAWF.exe
Open Internet Explorer and paste the link into the address bar.
When the download box opens, click on Run instead of Save
Allow the file to run when you get the warning.
A black window should open.
If this works, let the program run.
When it finishes, Notepad will open.
Copy and paste the contents of that text file here.

<EDIT>If 'McAfee comes up with a warning, close the window or click on No/Cancel. Don't click OK</EDIT>

Edited by beynac, 14 November 2006 - 06:38 PM.

[beynac]

How is it going? Have you been able to try the suggestion in my previous post? The situation is serious, but if I can just get the information on the rogue files, we stand a fighting chance of getting this sorted out. We need to try a few different methods to get this information. If any of these work, then stop: (don't try any other steps) and paste the log here and wait for my reply. If none of them work, please let me know what happened.

-----------------------------------------------------------------------------

First, please try what I suggested in my previous post, if you have not already tried it. I repeat the instructions here:

Note: If 'McAfee' comes up with a warning, close the window or click on No/Cancel. Don't click OK

In normal mode...
Copy the link location: http://noahdfear.gee...com/FindAWF.exe
Open Internet Explorer and paste the link into the address bar.
When the download box opens, click on Run instead of Save
Allow the file to run when you get the warning.
A black window should open.
If this works, let the program run.
When it finishes, Notepad will open.
Copy and paste the contents of that text file here.

--------------------------------------------------------------------------------

Next. please download the following programs to your desktop (don't run them yet):

• A fresh version of FindAWF from here (replace the previous version)
• ComboFix by sUBs from here

Disconnect from the internet. Reboot before reconnecting to post the log, but don't forget to make sure you have it safe first.

--------------------------------------------------------------------------------

We need to make sure that none of the following processes are running. To check, you need to press the Ctrl+Alt+Del keys to open Task Manager. Click on the Processes tab and then click on Image Name (this will put the processes in order). If any of the following are running, right-click on them and select End process.

hkcmd.exe
igfxpers.exe
igfxtray.exe
mcagent.exe
mcdetect.exe
mcmnhdlr.exe
mcregwiz.exe
mcshield.exe
mctskshd.exe
mcupdate.exe
mcvsshld.exe
mmtask.exe
MotiveSB.exe
MpfService.exe
MpfTray.exe
mscifapp.exe
oasclnt.exe
qttask.exe
tfswctrl.exe
VerizonSupport.exe

If this doesn't work with any (or all) of these, please continue with the rest of the instructions.

--------------------------------------------------------------------------------

FindAWF

Double-click on FindAWF.exe to run the program and post the log here (awf.txt)

-------------------------------------------------------------------------------

ComboFix by sUBs

This is another tool that could give us the information, if we can't get FindAWF to run.

• Close all open windows.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

------------------------------------------------------------------------------

Good luck with this!

[rsre15]

OK first of all my task manager is disabled under this user. It has been since I first got infected. I tryed to enable it through steps on the internet before I started corresponding with you but I was told I have a missing file. I can use it under other users- I don't now if that helps. Secondly, I was unable to run "AWF" through the copy and paste method. So I shall wait for further instructions before I download anything.

[rsre15]

Sorry, I didn't read ahead I will try the other methods you listed first.

[rsre15]

Alright could not run AWF but here is the other: Rick - 06-11-15 17:12:39.28 Service Pack 2 ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Rick\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\Rick\Application Data\Install.dat ((((((((((((((((((((((((((((((( Files Created from 2006-10-15 to 2006-11-15 )))))))))))))))))))))))))))))))))) 2006-11-10 10:42 5,120 --a------ C:\explorer1.exe 2006-10-29 21:50 16,508,560 --a------ C:\jre-1_5_0_09-windows-i586-p.exe 2006-10-29 13:02 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2006-10-25 08:37 94,720 --a------ C:\WINDOWS\SYSTEM32\qykcscn.dll 2006-10-24 05:20 0 --a------ C:\WINDOWS\SYSTEM32\msmapi32.exe 2006-10-24 05:20 0 --a------ C:\WINDOWS\SYSTEM32\intr32.dll 2006-10-15 13:34 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll 2006-10-15 12:53 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll 2006-10-15 12:53 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-11-14 19:54 21042 --a------ C:\Documents and Settings\Rick\Application Data\wklnhst.dat 2006-11-14 19:25 -------- d---s---- C:\Documents and Settings\Rick\Application Data\Microsoft 2006-11-13 21:38 -------- d-------- C:\Program Files\Internet Explorer 2006-11-13 21:28 -------- d-------- C:\Program Files\QuickTime 2006-11-13 21:28 -------- d-------- C:\Program Files\Dell Support 2006-11-12 09:56 83528 --a------ C:\Documents and Settings\Rick\Application Data\GDIPFONTCACHEV1.DAT 2006-11-08 16:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-10-29 22:08 -------- d-------- C:\Program Files\Java 2006-10-29 22:07 -------- d-------- C:\Program Files\Common Files\Java 2006-10-29 22:07 -------- d-------- C:\Program Files\Common Files 2006-10-29 13:02 -------- d-------- C:\Program Files\Grisoft 2006-10-25 21:06 -------- d-------- C:\Program Files\Enigma Software Group 2006-10-25 18:29 -------- d-------- C:\Program Files\Ultimate Defender 2006-10-25 13:54 -------- d-------- C:\Program Files\Ultimate Cleaner 2006-10-23 15:40 -------- d-------- C:\Program Files\Yahoo! 2006-10-23 15:28 -------- d-------- C:\Documents and Settings\Rick\Application Data\MSNInstaller 2006-10-23 15:27 -------- d-------- C:\Program Files\SupportSoft 2006-10-23 15:25 -------- d-------- C:\Program Files\Common Files\Motive 2006-10-23 15:24 -------- d-------- C:\Program Files\Motive 2006-10-23 15:23 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-10-23 15:23 -------- d-------- C:\Program Files\Verizon Online 2006-10-23 15:23 -------- d-------- C:\Program Files\Common Files\Verizon Online 2006-10-23 15:23 -------- d-------- C:\Program Files\Common Files\MotiveBrowser 2006-10-23 15:19 -------- d-------- C:\Program Files\verizon 2006-10-23 15:18 -------- d-------- C:\Program Files\PlayLinc 2006-10-22 18:43 -------- d-------- C:\Documents and Settings\Rick\Application Data\U3 2006-10-20 04:51 -------- d-------- C:\Documents and Settings\Rick\Application Data\MSN6 2006-10-17 04:28 -------- d-------- C:\Documents and Settings\Rick\Application Data\PhotoParade 2006-10-15 13:06 -------- d-------- C:\Program Files\Windows Media Player 2006-10-15 13:03 -------- d-------- C:\Program Files\Outlook Express 2006-10-15 13:03 -------- d-------- C:\Program Files\Common Files\System 2006-10-15 07:27 -------- d-------- C:\Program Files\Online Services 2006-10-07 10:02 -------- d-------- C:\Program Files\Police Chase 2006-10-06 20:03 -------- d-------- C:\Program Files\PhotoParade 2006-10-06 16:18 -------- d-------- C:\Program Files\Virtools Web Player 3.0 (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\Srv32 spool service] "Adware.Srv32"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\ 6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001

[rsre15]

"GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,de,02,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,de,02,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoCDBurning"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (ROSSITER-Rick).job Completion time: 06-11-15 17:13:18.53 C:\ComboFix.txt ... 06-11-15 17:13

[beynac]

Well done! I'll go through the log now. You say that you can run Task Manager as another user. Could you please log on as another user and then try the steps for FindAWF in the previous post. Please see if you have the following files (note the 'bak' sub-folder): C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe C:\Program Files\Dell Support\bak\DSAgnt.exe C:\Program Files\McAfee.com\Agent\bak\mcagent.exe

[rsre15]

I have all three of those "program files". Find AWF report by noahdfear ©2006 21504 byte files found ~~~~~~~~~~~~~ 21504 byte files sorted with strings ~~~~~~~~~~~~~~~~~~~~~ 25600 byte files found ~~~~~~~~~~~~~ 25600 byte files sorted with strings ~~~~~~~~~~~~~~~~~~~~~ 26450 byte files found ~~~~~~~~~~~~~ 26450 byte files sorted with strings ~~~~~~~~~~~~~~~~~~~~~ bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\DELLSU~1\BAK 07/19/2004 08:51 AM 306,688 DSAgnt.exe 1 File(s) 306,688 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 08/11/2005 06:56 PM 98,304 qttask.exe 1 File(s) 98,304 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 09/20/2005 09:32 AM 77,824 hkcmd.exe 09/20/2005 09:36 AM 114,688 igfxpers.exe 09/20/2005 09:35 AM 94,208 igfxtray.exe 3 File(s) 286,720 bytes Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK 10/14/2004 04:42 PM 1,404,928 smax4pnp.exe 1 File(s) 1,404,928 bytes Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK 09/03/2003 09:12 PM 221,184 IntelMEM.exe 1 File(s) 221,184 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK 09/22/2005 06:29 PM 303,104 mcagent.exe 06/07/2004 02:14 PM 135,168 mcregwiz.exe 01/11/2006 12:05 PM 212,992 mcupdate.exe 3 File(s) 651,264 bytes Directory of C:\PROGRA~1\MCAFEE.COM\MPS\BAK 03/30/2006 01:31 PM 296,488 mscifapp.exe 1 File(s) 296,488 bytes Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK 11/11/2005 05:00 PM 1,005,096 MpfTray.exe 1 File(s) 1,005,096 bytes Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK 07/08/2005 05:18 PM 151,552 mcmnhdlr.exe 08/10/2005 11:49 AM 163,840 mcvsshld.exe 08/11/2005 09:02 PM 53,248 oasclnt.exe 3 File(s) 368,640 bytes Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK 03/15/2005 07:58 AM 53,248 mmtask.exe 1 File(s) 53,248 bytes Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\BAK 05/23/2005 12:20 PM 50,744 VERIZO~1.EXE 1 File(s) 50,744 bytes Directory of C:\WINDOWS\SYSTEM32\DLA\BAK 12/06/2004 02:05 AM 127,035 tfswctrl.exe 1 File(s) 127,035 bytes Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

[rsre15]

12/05/2003 11:08 PM 50,688 WkUFind.exe 1 File(s) 50,688 bytes Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK 01/07/2004 02:01 AM 110,592 sgtray.exe 1 File(s) 110,592 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK 10/12/2006 03:10 AM 49,263 jusched.exe 1 File(s) 49,263 bytes Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\BAK 04/13/2005 06:51 PM 385,024 MotiveSB.exe 1 File(s) 385,024 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe" 98304 Aug 11 2005 "C:\Program Files\QuickTime\bak\qttask.exe" 118784 Feb 10 2004 "C:\DRIVERS\VIDEO\HKCMD.EXE" 77824 Sep 20 2005 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe" 114688 Sep 20 2005 "C:\WINDOWS\SYSTEM32\bak\igfxpers.exe" 155648 Feb 10 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE" 94208 Sep 20 2005 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe" 1404928 Oct 14 2004 "C:\DRIVERS\AUDIO\SMAX4PNP.EXE" 1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe" 221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe" 303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe" 135168 Jun 7 2004 "C:\Program Files\McAfee.com\Agent\bak\mcregwiz.exe" 212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe" 296488 Mar 30 2006 "C:\Program Files\McAfee.com\MPS\bak\mscifapp.exe" 1005096 Nov 11 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe" 151552 Jul 8 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe" 163840 Aug 10 2005 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe" 53248 Aug 11 2005 "C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe" 53248 Mar 12 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe" 53248 Mar 15 2005 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe" 287808 Jan 13 2005 "C:\WINDOWS\SYSTEM32\VerizonUninstaller.exe" 287808 Feb 13 2005 "C:\Program Files\Common Files\Verizon Online\SFP\VerizonUninstaller.exe" 50744 May 23 2005 "C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE" 122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\VerizonSetPanFolder.exe" 127035 Dec 6 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe" 127035 Dec 6 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe" 50688 Dec 5 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe" 110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" 49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe" 385024 Apr 5 2005 "C:\Program Files\Verizon Online\SmartBridge\MotiveSB.exe" 327680 May 18 2002 "C:\Program Files\Verizon Online\SmartBridge\Original\MotiveSB.exe" 385024 Apr 5 2005 "C:\Program Files\Verizon Online\SmartBridge\Updates\MotiveSB.exe" 385024 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\bak\MotiveSB.exe"

[beynac]

Hooray!!!! That's great. I haven't gone through the report in detail, but it appears to confirm that I was right about what has happened. Basically, the malware has moved valid files into sub-folders (called 'bak') and replaced them with corrupted files. Now that we can see what's there, we should be able to move them back. It's going to take me a little while to build a batch file to do this. I'll get back to you as soon as I can.