TechSpot

"System Check" malware - infected. Recovered... but I'm still crippled!

By mark118
Jan 12, 2012
  1. Hello all,

    I'm battling an issue... and I've hit a brick wall.

    Last night I was infected with a nasty little malware "system check". I was bombarded with error msgs. such as Files Indexation Process Failed, Windows – Delayed Write Failed and many more. In addition, all my desktop icons, files and shortcuts dissapeared. All program folders in my start menu were gone, and task manager was even disabled. The only program open, was one that popped up "System check" disguised as a windows application in which seemed to detect my new issue, and offer a solution, should I pay for and download the upgraded version of the program. Does anyone actually fall for this crap?

    Anyway, I managed to get task manager back, and manually opened Malwarebytes. It seems to have removed the malware, as all of the error msgs are gone. After much research, I found 3 things to get me back to normal: RKill, UnHide, and TDSsKiller.

    Here is where I need help:
    1.
    My desktop shortcuts and icons seem to be back and functional. The program folders are back in my start menu...but all the folders are empty?! I can open programs through desktop shortcuts and opeing files. Is there something I can download and run that will fix that? I've seen posts about combofix, but many warn not to run it unsupervised as it may do more harm than good. Plus, it doesn't sound like it is applicable to my issue.

    2.
    Malwarebytes seems to have removed the bug, but there is stil a desktop shortcut, quick launch icon and a program folder in the start menu(ofcourse, the only program folder not reading empty). I ran malware bytes again, Spybot seek and destroy and did a full scan with Avast and nothing comes up. I know I could simply delete this items... but is their presence a sign that Im not completely rid of this monster? Is it laying dormant waiting to pop up again?


    If anyone knows what Im going through and could help.... I would be VERY greatfull!

    Thank you
    Mark
     
  2. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Welcome aboard [​IMG]

    We need to check if your computer is really clean first.
    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    some issues here

    I followed the instructions exactly.

    Below is my malwarebytes and dds logs....
    GMER produced no log... (blank)


    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.12.03

    Windows Vista Service Pack 1 x64 NTFS
    Internet Explorer 8.0.6001.19088
    Mark :: THEGUNSHOW [administrator]

    1/12/2012 2:57:50 PM
    mbam-log-2012-01-12 (14-57-50).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 181681
    Time elapsed: 5 minute(s), 19 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.6001.19088
    Run by Mark at 15:24:14 on 2012-01-12
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.5995 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
    C:\PROGRA~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\splwow64.exe
    C:\PROGRA~2\MICROS~1\Office12\OUTLOOK.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\REGSVR32.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.cnn.com/
    uInternet Settings,ProxyOverride = *.local
    mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
    TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    mRun: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
    mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.5.0\bin\npjpi150.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
    IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    Trusted Zone: xmradio.com\player
    Trusted Zone: xmradio.com\www
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{A22470FE-C567-4958-9D55-53AFAD0C300A} : DhcpNameServer = 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll
    BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
    BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect - No File
    TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
    TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
    mRun-x64: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
    mRun-x64: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-2-18 42184]
    R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-9-2 206120]
    R2 SqueezeMySQL;SqueezeMySQL;C:\PROGRA~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=C:\PROGRA~3\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> C:\PROGRA~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=C:\PROGRA~3\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
    R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-9-2 185640]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-5-28 1038088]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-30 93184]
    .
    =============== File Associations ===============
    .
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .scr=AutoCADScriptFile
    .
    =============== Created Last 30 ================
    .
    2012-01-12 19:53:00 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{488BF783-72C0-4406-A1B6-28DB6907F568}\offreg.dll
    2012-01-12 14:11:52 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2012-01-12 14:11:52 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2012-01-12 01:59:31 -------- d-----w- C:\sh4ldr
    2012-01-12 01:59:31 -------- d-----w- C:\Program Files\Enigma Software Group
    2012-01-12 01:58:44 -------- d-----w- C:\Windows\89A072791DB3485AB1DF584DF86774B9.TMP
    2012-01-10 06:36:57 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{488BF783-72C0-4406-A1B6-28DB6907F568}\mpengine.dll
    2011-12-26 13:36:35 -------- d-----w- C:\Program Files\iPod
    2011-12-26 13:36:34 -------- d-----w- C:\Program Files\iTunes
    2011-12-26 13:32:26 -------- d-----w- C:\Program Files\Bonjour
    2011-12-26 13:32:26 -------- d-----w- C:\Program Files (x86)\Bonjour
    2011-12-15 13:04:28 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    .
    ==================== Find3M ====================
    .
    2009-05-03 17:52:52 74737 ----a-w- C:\Program Files (x86)\Uninstal.exe
    .
    ============= FINISH: 15:35:08.12 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/3/2009 9:23:55 AM
    System Uptime: 1/12/2012 2:52:37 PM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5Q SE PLUS
    Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | LGA775 | 3003/333mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 197.231 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Acrobat 9 Pro - English, Français, Deutsch
    Adobe Acrobat 9.3.4 - CPSID_83708
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Fonts All
    Adobe Linguistics CS4
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Reader 6.0.1
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Apple Application Support
    Apple Software Update
    AutoCAD 2008 - English
    avast! Free Antivirus
    BitTorrent
    BitTorrentBar Toolbar
    BufferChm
    c7200_Help
    CDDRV_Installer
    Connect
    Copy
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DNA
    DocProc
    DocProcQFolder
    EPU-4 Engine
    eSupportQFolder
    Express Gate
    F.E.A.R. 2: Project Origin
    Fax
    FEAR Perseus Mandate
    GoToMyPC
    Half-Life 2
    Half-Life 2 Deathmatch Create Server Mod
    Half-Life 2: Deathmatch
    Half-Life 2: Episode One
    Half-Life 2: Episode Two
    Half-Life 2: Lost Coast
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Officejet 6500 E710n-z Help
    HP Photosmart Essential2.01
    HP Smart Web Printing
    HP Update
    HPProductAssistant
    HPSSupply
    I.R.I.S. OCR
    J2SE Runtime Environment 5.0
    *******_3D_screensaver1
    kuler
    Logitech SetPoint
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft Corporation
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    nCleaner second 2.3.4.0
    NVIDIA PhysX v8.09.04
    Octoshape add-in for Adobe Flash Player
    OpenAL
    Pandora
    PanoStandAlone
    PDF Settings CS4
    Photoshop Camera Raw
    Platform
    Portal
    Print Screen Deluxe
    PSSWCORE
    QuickTime
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype™ 4.2
    SolutionCenter
    SpeedFan (remove only)
    Spotify
    Squeezebox Server 7.5.3
    Status
    Steam
    Suite Shared Configuration CS4
    TrayApp
    UnloadSupport
    Unreal Tournament 3: Black Edition
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Verizon Download Manager
    VIA Platform Device Manager
    VideoToolkit01
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Vz In Home Agent
    WinRAR archiver
    WModem Driver Installer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/12/2012 8:36:23 AM, Error: disk [11] - The driver detected a controller error on \Device\Harddisk0\DR0.
    1/12/2012 3:16:04 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer DANAS-COMPUTER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A22470FE-C567-4958-9D55-53AFAD0C300A}. The master browser is stopping or an election is being forced.
    1/12/2012 12:03:31 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    1/12/2012 12:03:31 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the GoToMyPC service to connect.
    1/12/2012 12:03:31 PM, Error: Service Control Manager [7000] - The MSCamSvc service failed to start due to the following error: The system cannot find the path specified.
    1/12/2012 12:03:31 PM, Error: Service Control Manager [7000] - The GoToMyPC service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================

    Thank you VERY much for your time......
     
  4. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    If you ran any temporary files cleaner since the infection started UnHide won't be able to get your shortcuts back.
    You'll have to restore them manually.
    See my guide here: http://www.smartestcomputing.us.com...tart-menu-and-files-hiddendeleted-by-a-virus/
    Scroll down to "Method 3 - manual".

    ================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    thank you

    I saw early on on some threads not to touch the temp folder, so I didn't. Infact, at the begining, I couldn't even access my temp folder.

    When you say I'll have to do it manually, do you mean the files in my programs folder, in the start menu? All folders are present, but when I click on them, they read (empty).

    I'll follow your instructions regarding aswmbr and bootkit remover later tonight or tommorow and post what I find.


    Thank you for your time.

    Mark
     
  6. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    There is a section at my link what to do in that situation.

    You may want to wait with that until we're done with running some more tools.
     
  7. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    problem

    I downloaded aswmbr to my desk top. when I double click on it, nothing opens. I clicked on your link and clicked run instead of save, and still, nothing opens. Do I have to disable my avast first?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Proceed with Bootkit Remover.
     
  9. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    bootkit remover

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
    001), 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  10. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    interesting discovery

    I went to google, and did a search on Rootkit to learn more about this problem....

    Every link I click on, in regards to rootkit... i get redirected to a junk website. Right as it goes to open the intended page... Explorer redirects. Something definatly has a hold of my PC. :(
     
  11. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  12. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    list parts

    ListParts by Farbar
    Ran by Mark on 13-01-2012 at 08:16:33
    Windows Vista (X64)
    Running From: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9SPQBHA
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 33%
    Total physical RAM: 8190.12 MB
    Available physical RAM: 5436.91 MB
    Total Pagefile: 16547.27 MB
    Available Pagefile: 13798.7 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    2 Drive c: () (Fixed) (Total:465.76 GB) (Free:198.56 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 466 GB 1024 KB

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 466 GB Healthy System (partition with boot components)



    ****** End Of Log ******
     
  13. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     
  14. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    Tdss

    TDSS says ***Infected MRB Detected ...

    Should I click repair?
     
  15. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Yes............
     
  16. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    Ok, did it. That was fast. My re-direct issue seems to be resolved.

    Is there anything else I have to do?


    Do you recomend any software to better help prevent this from happening? Malware bytes is good, but didn't detect the issue.

    Thank you again.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    We're definitely not done.
    Good news though.

    Post fresh Bootkit Remover log.

    Then....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  18. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    Big problem!

    I ran comboxfix..... it scanned... and at the end made two deletions... one appeared to be the system check malware.. or the directory it was stored in.

    The other was a folder I titled media, which had everything i owned in it! In the Folder 'Media'... was all my music... all of my pictures including my wedding picture, my daughters birth etc.....

    That folder is gone... why would combo fix do this? I sat while it was scanning and saw that it scanning that directory, but just thought it was scanning all directories for signs of any problems.

    Can you help?
     
  19. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    log

    Here is the log... I cut out some of the middle section that just contained my music files.... it was a mile long...... all required info should be there...

    ComboFix 12-01-13.03 - Mark 01/13/2012 15:05:03.1.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6401 [GMT -5:00]
    Running from: C:\Users\Mark\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\ProgramData\iKk7sAFBa0IoHD
    C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
    C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
    C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
    C:\Users\Mark\Desktop\System Check.lnk
    C:\Users\Mark\Media
    C:\Users\Mark\Media\Music\desktop.ini
    C:\Users\Mark\Media\Music\iTunes Music\(Police)\Unknown Album\Sending Out an SOS.mp3
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\desktop.ini
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\04 Like The Weather.mp3
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\AlbumArt_{9A54E70A-8ADC-4DC2-BCD3-E9588CAB2599}_Large.jpg
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\AlbumArt_{9A54E70A-8ADC-4DC2-BCD3-E9588CAB2599}_Small.jpg
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\AlbumArtSmall.jpg
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\desktop.ini
    C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\Folder.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\311\01 Down.mp3
    C:\Users\Mark\Media\Music\iTunes Music\311\311\08 Purpose.mp3
    C:\Users\Mark\Media\Music\iTunes Music\311\311\09 Loco.mp3
    C:\Users\Mark\Media\Music\iTunes Music\311\311\11 Don't Stay Home.mp3
    C:\Users\Mark\Media\Music\iTunes Music\311\311\13 Sweet.mp3
    C:\Users\Mark\Media\Music\iTunes Music\311\311\AlbumArt_{B6143C56-1314-4DEB-957E-3EC875C77F4B}_Large.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\311\AlbumArt_{B6143C56-1314-4DEB-957E-3EC875C77F4B}_Small.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\311\AlbumArtSmall.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\311\desktop.ini
    C:\Users\Mark\Media\Music\iTunes Music\311\311\Folder.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\03 You Wouldn't Believe.mp3
    C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\AlbumArt_{6B0F1373-0D27-4272-9DF0-EC4C8C8A5D4F}_Large.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\AlbumArt_{6B0F1373-0D27-4272-9DF0-EC4C8C8A5D4F}_Small.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\AlbumArtSmall.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\desktop.ini
    C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\Folder.jpg
    C:\Users\Mark\Media\Music\iTunes Music\311\desktop.ini
    C:\Users\Mark\Media\Music\iTunes Music\311\evolver\01 Creatures (For a While).mp3

    -----
    C:\Windows\system32\AutoRun.inf
    C:\Windows\system32\gotomon.log


    ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))


    2012-01-13 20:37:27 . 2012-01-13 20:37:28 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\offreg.dll
    2012-01-13 20:35:51 . 2012-01-13 20:39:40 -------- d-----w- C:\Users\Mark\AppData\Local\temp
    2012-01-13 20:35:51 . 2012-01-13 20:35:51 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-01-13 07:28:10 . 2011-11-21 11:40:38 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\mpengine.dll
    2012-01-12 14:11:52 . 2012-01-12 19:52:49 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2012-01-12 14:11:52 . 2012-01-12 19:51:19 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2012-01-12 01:59:31 . 2012-01-12 18:27:40 -------- d-----w- C:\sh4ldr
    2012-01-12 01:59:31 . 2012-01-12 01:59:31 -------- d-----w- C:\Program Files\Enigma Software Group
    2012-01-12 01:58:44 . 2012-01-12 18:27:37 -------- d-----w- C:\Windows\89A072791DB3485AB1DF584DF86774B9.TMP
    2011-12-26 13:36:35 . 2011-12-26 13:36:35 -------- d-----w- C:\Program Files\iPod
    2011-12-26 13:36:34 . 2011-12-26 13:37:15 -------- d-----w- C:\Program Files\iTunes
    2011-12-26 13:32:26 . 2011-12-26 13:32:27 -------- d-----w- C:\Program Files (x86)\Bonjour
    2011-12-26 13:32:26 . 2011-12-26 13:32:26 -------- d-----w- C:\Program Files\Bonjour
    2011-12-26 13:29:58 . 2011-12-26 13:29:58 -------- d-----w- C:\Program Files (x86)\Apple Software Update
    2011-12-15 13:04:28 . 2011-12-15 13:04:28 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2009-05-03 17:52:52 . 2009-05-03 17:52:52 74737 ----a-w- C:\Program Files (x86)\Uninstal.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    2010-12-30 14:51:18 3911776 ----a-w- C:\Program Files (x86)\BitTorrentBar\tbBit1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "C:\Program Files (x86)\BitTorrentBar\tbBit1.dll" [2010-12-30 14:51:18 3911776]

    [HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 02:47:57 1555968]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:51:33 138240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HDAudDeck"="C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2008-09-16 14:32:54 17601536]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
    "GrooveMonitor"="C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 04:25:58 59240]
    "iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 06:36:42 421736]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2011-2-19 1041920]
    Squeezebox Server Tray Tool.lnk - C:\Program Files (x86)\Squeezebox\SqueezeTray.exe [2011-2-6 2351191]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - WS2IFSL

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    Contents of the 'Scheduled Tasks' folder

    2012-01-13 C:\Windows\Tasks\User_Feed_Synchronization-{BCD208F4-7D0F-4A27-9114-A79A3EC47B7A}.job
    - C:\Windows\system32\msfeedssync.exe [2011-06-16 08:35:02 . 2011-05-28 04:32:15]


    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04:07 134384 ----a-w- C:\Program Files\Alwil Software\Avast5\ashShA64.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvSvc"="C:\Windows\system32\nvsvc64.dll" [2008-10-07 05:33:00 724512]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-10-07 05:33:00 15934496]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-10-07 05:33:00 82464]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 20:34:50 134416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0

    ------- Supplementary Scan -------

    uLocal Page = C:\Windows\system32\blank.htm
    uStart Page = hxxp://www.cnn.com/
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: xmradio.com\player
    Trusted Zone: xmradio.com\www
    TCP: DhcpNameServer = 192.168.1.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKCU-Run-WMPNSCFG - C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    HKLM-Run-Windows Defender - C:\Program Files (x86)\Windows Defender\MSASCui.exe
     
  20. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    No worries.
    We can recover that folder easily.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DEQUARANTINE::
    C:\Qoobox\Quarantine\C\Users\Mark\Media
    QUIT::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. DeQuarantine.txt log will appear.
     
  21. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    Still deleted

    Files are still gone... below is the log file. It lookslike for some reason it tried to delete the folder again. (under other deletions)

    ComboFix 12-01-13.03 - Mark 01/13/2012 16:11:45.2.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6174 [GMT -5:00]
    Running from: c:\users\Mark\Desktop\ComboFix.exe
    Command switches used :: c:\users\Mark\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\2076671ee5d0a5323570c92c74abac6f\Process.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\23fe5d76b9491fa255db2281ac7687d5\Service.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\7020d50af327e3fc94b98242c307fc81\Cwd.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\86351894c58e4804ca004825fea78bbb\Encode.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\f48694173221cfa9bad4275e2389b498\Win32.dll
    c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\perl510.dll
    c:\users\Mark\Media
    c:\users\Mark\Media\Music\desktop.ini
    c:\users\Mark\Media\Music\Sample Music.lnk
    c:\users\Mark\Media\Pictures\desktop.ini
    c:\users\Mark\Media\Pictures\Sample Pictures.lnk
    c:\users\Mark\Media\Videos\desktop.ini
    c:\users\Mark\Media\Videos\Sample Videos.lnk
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-13 21:21 . 2012-01-13 21:23 -------- d-----w- c:\users\Mark\AppData\Local\Temp
    2012-01-13 21:21 . 2012-01-13 21:21 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\offreg.dll
    2012-01-13 21:20 . 2012-01-13 21:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-13 07:28 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\mpengine.dll
    2012-01-12 14:11 . 2012-01-12 19:52 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-01-12 14:11 . 2012-01-12 19:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-01-12 01:59 . 2012-01-12 18:27 -------- d-----w- C:\sh4ldr
    2012-01-12 01:59 . 2012-01-12 01:59 -------- d-----w- c:\program files\Enigma Software Group
    2012-01-12 01:58 . 2012-01-12 18:27 -------- d-----w- c:\windows\89A072791DB3485AB1DF584DF86774B9.TMP
    2011-12-26 13:36 . 2011-12-26 13:36 -------- d-----w- c:\program files\iPod
    2011-12-26 13:36 . 2011-12-26 13:37 -------- d-----w- c:\program files\iTunes
    2011-12-26 13:32 . 2011-12-26 13:32 -------- d-----w- c:\program files (x86)\Bonjour
    2011-12-26 13:32 . 2011-12-26 13:32 -------- d-----w- c:\program files\Bonjour
    2011-12-26 13:29 . 2011-12-26 13:29 -------- d-----w- c:\program files (x86)\Apple Software Update
    2011-12-15 13:04 . 2011-12-15 13:04 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-03 17:52 . 2009-05-03 17:52 74737 ----a-w- c:\program files (x86)\Uninstal.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-13_20.38.46 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2012-01-13 20:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-01-13 21:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2012-01-13 20:38 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-13 21:22 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-13 21:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-01-13 20:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-01-13 21:24 62090 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-01-13 21:24 75212 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-03-03 01:39 . 2012-01-13 21:24 13944 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3867335980-3509603360-33153671-1000_UserData.bin
    + 2010-02-22 22:37 . 2012-01-13 21:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-02-22 22:37 . 2012-01-12 22:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-02-22 22:37 . 2012-01-12 22:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-02-22 22:37 . 2012-01-13 21:00 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-02-22 22:37 . 2012-01-12 22:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-02-22 22:37 . 2012-01-13 21:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-10-07 23:05 . 2012-01-12 12:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-10-07 23:05 . 2012-01-13 20:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-10-07 23:05 . 2012-01-12 12:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-10-07 23:05 . 2012-01-13 20:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2012-01-13 20:37 . 2012-01-13 20:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-01-13 21:21 . 2012-01-13 21:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-01-13 20:37 . 2012-01-13 20:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-01-13 21:21 . 2012-01-13 21:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2006-11-02 12:46 . 2012-01-13 17:40 607168 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-01-13 20:45 607168 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-01-13 17:40 104808 c:\windows\system32\perfc009.dat
    + 2006-11-02 12:46 . 2012-01-13 20:45 104808 c:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    2010-12-30 14:51 3911776 ----a-w- c:\program files (x86)\BitTorrentBar\tbBit1.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\tbBit1.dll" [2010-12-30 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2008-09-16 17601536]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-2-19 1041920]
    Squeezebox Server Tray Tool.lnk - c:\program files (x86)\Squeezebox\SqueezeTray.exe [2011-2-6 2351191]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-13 c:\windows\Tasks\User_Feed_Synchronization-{BCD208F4-7D0F-4A27-9114-A79A3EC47B7A}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvSvc"="c:\windows\system32\nvsvc64.dll" [2008-10-07 724512]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 15934496]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 82464]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 134416]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.cnn.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: xmradio.com\player
    Trusted Zone: xmradio.com\www
    TCP: DhcpNameServer = 192.168.1.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
    @Denied: (A 2) (Everyone)
    @="FlashProp Class"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\ASUS\EPU-4 Engine\FourEngine.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe
    c:\progra~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
    c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe
    c:\program files\Logitech\SetPoint\x86\SetPoint32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-13 16:32:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-13 21:32
    ComboFix2.txt 2012-01-13 20:49
    .
    Pre-Run: 217,487,691,776 bytes free
    Post-Run: 217,953,648,640 bytes free
    .
    - - End Of File - - 82D5CCB5152F7ADF0C0E836D670AB088
     
  22. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Please pay attention.
    You didn't create script I posted in my previous reply.
    Redo.

    When DeQuarantine.txt log is created do NOT run Combofix anymore.
     
  23. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    I will do it again. I did exactly as instructed before, copy and pasted the given code int notpad, saved it as CFScript.txt and drag and droppped onto the icon... and the Combofix ran again.



    I will do it again and let you know.
     
  24. mark118

    mark118 TS Rookie Topic Starter Posts: 21

    looks like it worked

    The last time i did it, the DeQuarantine.txt came up, and all my files were back. Thank you very much.

    Is there anything else I have to do?
     
  25. Broni

    Broni Malware Annihilator Posts: 52,900   +344

    Yes.

    First of all....how is computer doing?

    Then....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...