Solved Wipe out all programs

[comphelp79]

I have a similar problem like this guy

"After frustration with some web search hijacking, I learned about "Hijack This". I loaded it and ran it. When it came back with 3 pages of problems, I did a dumb thing - and fixed them all. The only change I could see is that the desktop background stays standard XP blue. I have tried to change it (right click on desktop and properties - desktop) but it doesn't allow any of the options there to activate other than color. "

for me not only is my destktop background not working. I manage to completely remove all my programs.when I click on start menu and then 'all programs' to my horor it is empty. when I ran the "Hijack This" program, I though I only fix the ones that stated " O4 - HKLM\..\Run: [Brong32] TorontoMail.exe. in safe mode under administrator and under my user name and when I reboot all progam was empty and I could not do the system restore to bring everything back. Eveything is gone-- microsoft office, itune, adobe, realplayer-- everything!!

From this guy above forum you had given him a link https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ Trojan Pakes and other nasties preliminary removal instructions--- and to follow all the instructions. I started with step 1 and I realize the forum was back in 2006. What can I do to restore evrything back? Should I continue to follow the steps. Please help!!! I also attach "a Hijack This" log

 

[Bobbye]

You will find several places in the stickies above that tell you not to follow directions for malware cleaning given to someone else. We do not use HijackThis to 'screen' for malware. There is a possibility that you have malware from the Rogue Error Fix. One of it's actions is to show all programs missing in order to get you to click on a site to 'fix' the problem.

Please advise me if you are a member of Facebook.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[comphelp79]

as instructed

Bobbye here are the logs per step 6 instruction. I am a member of facebook my username is [Name deleted for privacy] please let me know what I need to do next to restore all my files and programs

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6220

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/30/2011 5:49:12 PM
mbam-log-2011-03-30 (17-49-12).txt

Scan type: Quick scan
Objects scanned: 158862
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\19717940.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\pxxpekijomnaxjk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
-----------------------------------------------------------------------------------------------------

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-30 18:10:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-1b MDT_MD800AB-00CBA1 rev.04.07B04
Running: n2rst5oq.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwddyfob.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:132] 85CFBE84
Thread System [4:136] 85CFE084

---- EOF - GMER 1.0.15 ----

------------------------------------------------------------------------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/30/2009 7:02:26 PM
System Uptime: 3/30/2011 6:07:27 PM (0 hours ago)
.
Motherboard: | | MS-7139
Processor: AMD Athlon(tm) 64 Processor 4000+ | Socket 939 | 2399/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 45.726 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: System Interrupt Controller
Device ID: PCI\VEN_1106&DEV_5336&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Manufacturer:
Name: System Interrupt Controller
PNP Device ID: PCI\VEN_1106&DEV_5336&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Service:
.
==== System Restore Points ===================
.
RP177: 1/26/2011 10:41:35 PM - Removed Norton SystemWorks 2002
RP178: 1/26/2011 10:48:43 PM - CA Internet Security Suite
RP179: 1/29/2011 9:18:50 AM - System Checkpoint
RP180: 1/30/2011 3:24:49 PM - System Checkpoint
RP181: 2/3/2011 8:53:18 PM - System Checkpoint
RP182: 2/6/2011 6:53:35 PM - System Checkpoint
RP183: 2/9/2011 10:00:34 PM - System Checkpoint
RP184: 2/10/2011 12:50:54 AM - Software Distribution Service 3.0
RP185: 2/12/2011 10:05:44 AM - System Checkpoint
RP186: 2/13/2011 3:08:10 PM - System Checkpoint
RP187: 2/16/2011 7:31:45 PM - System Checkpoint
RP188: 2/18/2011 7:13:17 PM - System Checkpoint
RP189: 2/19/2011 7:58:51 PM - System Checkpoint
RP190: 2/21/2011 5:12:53 PM - System Checkpoint
RP191: 3/1/2011 8:11:13 PM - System Checkpoint
RP192: 3/6/2011 1:00:46 PM - System Checkpoint
RP193: 3/8/2011 10:03:00 PM - System Checkpoint
RP194: 3/9/2011 12:37:43 AM - Software Distribution Service 3.0
RP195: 3/10/2011 10:20:14 PM - System Checkpoint
RP196: 3/11/2011 9:44:08 AM - Software Distribution Service 3.0
RP197: 3/12/2011 5:52:32 PM - System Checkpoint
RP198: 3/13/2011 8:32:04 PM - System Checkpoint
RP199: 3/15/2011 10:19:23 PM - System Checkpoint
RP200: 3/17/2011 4:00:01 PM - Software Distribution Service 3.0
RP201: 3/19/2011 10:46:31 AM - System Checkpoint
RP202: 3/22/2011 7:11:34 PM - System Checkpoint
RP203: 3/23/2011 8:19:19 PM - System Checkpoint
RP204: 3/23/2011 10:18:51 PM - Software Distribution Service 3.0
RP205: 3/27/2011 12:48:42 PM - System Checkpoint
RP206: 3/28/2011 8:51:19 PM - System Checkpoint
RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel
.
==== Installed Programs ======================
.
"Nero SoundTrax Help
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Adobe Shockwave Player 11.5
Advertising Center
Agere Systems PCI Soft Modem
AMRT
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics BoostSpeed
Avira AntiVir Personal - Free Antivirus
Bonjour
BufferChm
CA Anti-Virus Plus
CA Internet Security Suite
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Setup
DJ_AIO_03_F4200_ProductContext
DJ_AIO_03_F4200_Software
DJ_AIO_03_F4200_Software_Min
DolbyFiles
Download Updater (AOL LLC)
DVD Decrypter (Remove Only)
Elecard MPEG-2 Decoder&Streaming Plug-in for WMP
eSupportQFolder
F4200
F4200_Help
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 11.0
HP Deskjet F4200 All-In-One Driver Software 11.0 Rel .3
HP Imaging Device Functions 11.0
HP Solution Center 11.0
HP Update
HPProductAssistant
ImagXpress
iTunes
Java Auto Updater
Java(TM) 6 Update 23
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9
Nero Burning ROM Help
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
NeroLiveGadget
NeroLiveGadget Help
neroxml
OGA Notifier 2.0.0048.0
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Respondus LockDown Browser
Safari
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SolutionCenter
SoundTrax
Status
Symantec WinFax Basic Edition
Toolbox
TrayApp
Uninstall AOL Emergency Connect Utility 1.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB960763)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VIA Audio Driver Setup Program
VIA/S3G Display Driver 6.14.10.0071
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
3/30/2011 6:08:57 PM, error: System Error [1003] - Error code 0000007a, parameter1 c07b9f00, parameter2 c000000e, parameter3 f73e050c, parameter4 250a1860.
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CAISafe service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CaCCProvSP service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CAAMSvc service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CA Common Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:38 PM, error: Service Control Manager [7031] - The Nero BackItUp Scheduler 4.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
3/30/2011 5:26:38 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/30/2011 5:26:37 PM, error: Service Control Manager [7034] - The HIPS Policy Manager service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:37 PM, error: Service Control Manager [7034] - The HIPS Event Manager service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 5:26:37 PM, error: Service Control Manager [7034] - The HIPS Configuration Interpreter service terminated unexpectedly. It has done this 1 time(s).
3/30/2011 3:04:49 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
3/30/2011 3:04:49 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
3/30/2011 3:04:49 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
3/30/2011 1:35:10 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips KmxAgent KmxStart Processor
3/30/2011 1:34:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/30/2011 1:33:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxPol with arguments "-Service" in order to run the server: {4C89C3FD-5F94-4678-BBB5-F64759C3C54A}
3/28/2011 6:06:17 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
3/27/2011 6:54:13 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 85acd3f8, parameter3 85acd56c, parameter4 805c8d78.
3/27/2011 6:54:07 PM, error: System Error [1003] - Error code 00000077, parameter1 c000000e, parameter2 c000000e, parameter3 00000000, parameter4 00af1000.
.
==== End Of File ===========================

 

[Bobbye]

Sorry- I didn't mean to ask for you name. I'm going to delete the name for your privacy. Please see the thread I posted a few days ago:https://www.techspot.com/vb/topic162959.html
=====================================
You have multiple antivirus programs loading:
Avira AntiVir Personal - Free Antivirus> To uninstall Avira:

• Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
• Wait for the list of installed programs to load, then click the name of the Avira program.
• Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
• Press Yes, to confirm the removal and then OK.
• . Click Next until Finish. The software is removed.

CA Anti-Virus Plus
CA Internet Security Suite > Removal Tools
LiveReg (Symantec Corporation) >Norton Removal Tool
LiveUpdate 1.6 (Symantec Corporation)

You should only run one antivirus program and one firewall. Please remove any of the above to get down to that. I have included removal tools to help. The multiple AV programs actually make the system more vulnerable. Please reboot the computer when through.
=====================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[comphelp79]

awesome

Thank you very much Bobbye :grinthumb. I follow your instruciton and everything is back YAY!!! I will never again attempt to clean a virus without proper knowledge.. Is there anything else I need to do?

Here's the log Run Eset NOD32

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=60f54571e990b54ead06e2dc9ac10891
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-31 11:00:37
# local_time=2011-03-31 07:00:37 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55712
# found=1
# cleaned=0
# scan_time=3602
C:\Documents and Settings\Owner\Application Data\Auslogics\Rescue\One Button Checkup\090508233518609.rsc Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
can not get scanner. e_gle=1001
DLLipe not connected. attempts=120
can not get scanner. e_gle=1001
DLLipe not connected. attempts=120
can not get scanner. e_gle=1001
DLLipe not connected. attempts=120

 

[Bobbye]

I am concerned about the text t the end of the Eset log. Before I do anything with that entry, I'd like for you to run a different online virus scan to compare:
Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
===========================================
I tried to identify the app data where you got the adware using different combinations of Auslogics\Rescue\One Button Checkup\090508233518609.rsc but I could not. I also looked at the installed programs and don't see anything related there. I found a Norton One Button Checkup but not Auslogics.

The Askbar is frequently pre checked on some download screens, so you should always look to see if anything is checked before downloading.

Edit: Have you run Combofix yet? Log?

 

[comphelp79]

I Just moved to a new place I have not install my computer yet, I'm using my cousin computer currently. when I set up my computer I will run the Kaspersky online scan and post the log. Thanks. I should have the result by this weekend.

 

[Bobbye]

Okay. Post when ready.

 

[comphelp79]

Sorry, Kaspersky Online Scanner would not scan properly. I took a screen shot of the error message, but I had to post it in an attachment. please tell me what I did wrong.

 

[Bobbye]

Sorry, but it's not safe for me to open a .doc file.

Please update and run the Eset scan again. I also need the Combofix log.

 

[comphelp79]

This is the error Message when I ran the Kaspersky Online Scanner :

"Update has failed the program could not be started. Please close the window of Kaspersky online scanner 7.0 start the pogram again from the web site of kapersky Lab.
Succesfully updating of Kaspersky online scanner 7.0 and scanning of your computer requires uninterupted internet connection. Please make sure that the internet onnection is established {Error: License has expired}"

here's the combofix log

ComboFix 11-03-31.01 - Owner 03/31/2011 19:29:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.644 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Desktop\Windows Repair.lnk
c:\documents and settings\Owner\Start Menu\Programs\Windows Repair
c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Windows Repair.lnk
c:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-31 21:55 . 2011-03-31 21:55 -------- d-----w- c:\program files\ESET
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-03-30 21:37 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 05:33 . 2011-03-30 05:33 -------- d-----w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-06 23:46 . 2011-01-27 03:50 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-06 23:46 . 2011-01-27 03:50 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-02 07:58 . 2009-04-30 22:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-04-30 22:56 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=c:\windows\pss\AudioDeck.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^On-Line Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\On-Line Registration.lnk
backup=c:\windows\pss\On-Line Registration.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD Help.lnk
backup=c:\windows\pss\PowerDVD Help.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD.lnk
backup=c:\windows\pss\PowerDVD.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Readme.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Readme.lnk
backup=c:\windows\pss\Readme.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^System Diagnostic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\System Diagnostic.lnk
backup=c:\windows\pss\System Diagnostic.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall PowerDVD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall PowerDVD.lnk
backup=c:\windows\pss\Uninstall PowerDVD.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1273802316\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 5:19 PM 135664]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [4/30/2009 7:51 PM 3351]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
.
2011-03-31 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-03-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1580436667-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-03-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1580436667-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-tyc7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} - hxxps://bp.cfdfl.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 19:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-31 19:34:46
ComboFix-quarantined-files.txt 2011-03-31 23:34
.
Pre-Run: 49,358,909,440 bytes free
Post-Run: 49,814,859,776 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0777B035FD3A4153F4D74AFF65E25A24

 

[comphelp79]

aaahhhggg!!!

My cousin watched adult movie online on my computer and got a virius and now we are back to square one. I won't to hit something :blackeye:

I try run combofix but since I alreay download it last time, it would not let me. Is the Windows Restore part of combofix? it try to do diagnostic test and I stop it since I was not sure which program it was.
Bobbye, Please tell what I need to do restore all my files and programs. and to prevent any more of this shananagan from happening. My computer keep rebooting and it is very annoying.

 

[comphelp79]

Sorry for all the post

I ran the Malwarebytes Anti Malmare and remove the windows restore Trojan virus and I also ran unhide.ex to unhide my files and programs. Below is the log from the Malwarebytes. Bobbye how can I make sure windows restore virus is completely gone from my pc?


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6320

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/9/2011 1:49:51 PM
mbam-log-2011-04-09 (13-49-51).txt

Scan type: Quick scan
Objects scanned: 160208
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
c:\documents and settings\all users\application data\tfhewclbgi.exe (Trojan.FakeAlert) -> 1820 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfHEwclbGi (Trojan.FakeAlert) -> Value: tfHEwclbGi -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Owner\start menu\Programs\windows restore (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\tfhewclbgi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\windows restore\uninstall windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\windows restore\windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

[Bobbye]

There is a line in my first reply> it's in red for a reason:

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

================================================
Doing a System Restore from a Command line:
Boot into Safe Mode

1. Restart your computer and start pressing the F8 key on your keyboard.
2. Use the arrow keys to select the Safe Mode with a Command prompt option.> press Enter.
3. If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.
4. Log on as an administrator or with an account that has administrator credentials.
5. At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.
6. Follow the instructions that appear on the screen to restore your computer to a functional state.
7. You ran HijackThis on Scan saved at 2:00:04 AM, on 3/30/2011
   [o]Choose this Restore Point: RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel

Reboot the computer into Normal Mode when through
==========================================
Uninstall the HijackThis program and delete the log. You saved the log to a temp folder instead of the directory on the C drive, so it did not make any backups.
============================================
Repeat this scan: Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

The programs I have you run aren't random. They are given to you at a specific time for a specific reason. I asked you to run the Eset Online Virus scan again because I'm not sure whether the connection to the site was lost or whether some other problem came up.
================================================
Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

===============================================
Download a new copy of Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================
Paste the new Eset scan and Combofix log in your next reply.
========================================
1. Please do not do anything else.
2. Don't run any other scans. Don't delete anything unless instruct you to
3. Keep you cousin away from the computer. Tell him if it goes on it again he will have to pay a tech to fix the computer> think about $300.00

 

[comphelp79]

Sorry

The system restore did work for RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel. I tried it 2x.

I'm sorry Bobbye--The programs that I ran to get rid of the "windows restore virus" was Malbytes Malware and I ran unhide.ex -- nothing else I swear.

 

[Bobbye]

Did you get the programs back okay?

About this: Mbam handles these entries. I got the impression from your comments that you had done additional removals for these files:
c:\documents and settings\Owner\start menu\Programs\windows restore\uninstall windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\windows restore\windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Tell me what this is: unhide.ex

 

[comphelp79]

After that ***** cousin of my messed up my computer, Windows restore Virus was installed and it keep rebooting my computer. So I ran malwarebytes anti-malware one of the program you told me to download when you were first helping me. I ran unhide exe because all my fiIes, internet favorites and progams were "empty' hiden-- so unhide.exe made them visible again. I posted the log for you to view.

It seems my PC is vulnerable to trojan virus-- even with Avira antivirus and malware. Any suggestion?

 

[comphelp79]

ok. so I'm was not as clever as I thought. another Virus!! this time MS removal tool hack my computer and will not let me run malbytes antimalware or avivra to clean it.

 

[Bobbye]

You don't need to run a program to view hidden files & folders:
Show Hidden Folders/Files

• Open My Computer.
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Scroll down to Hidden files and folders.
  [*] Select Show hidden files and folders.
  [*] Uncheck (untick) Hide extensions of known file types.
  [*] Uncheck (untick) Hide protected operating system files (Recommended).
  [*] Click Yes when prompted.
  [*] Click OK.
  [*] Close My Computer.

Rehide the files and folders.
=============================================
Please focus only on what I am instructing you to do. If Mbam found this malware and quarantined and deleted it, you did not have to take any further action at that point.
Your programs were not missing! The Rogue.ErrorFix hid them to make you think they were gone and you had to use their program to fix the 'error.'
===============================================
Reply #14:
========================================

Paste the new Eset scan and Combofix log in your next reply.
========================================
1. Please do not do anything else.
2. Don't run any other scans. Don't delete anything unless instruct you to

Repeating:

Your programs were not missing! The Rogue.ErrorFix hid them to make you think they were gone and you had to use their program to fix the 'error.'

 

[comphelp79]

Hi Bobbye, I have not use my computer in a whlle so I just read your post.

"Uncheck (untick) Hide protected operating system files (Recommended)"
I follow everything you said even though it stated that deleting or editing will make my system unaporable.

anyway, I still have a long way to go to finish cleaning my system thanks to my cousin. I still have that pesky windows recovery virus still in my PC. Now I have an internet sript error where I hear comercials or radio annoucement in the backgound sometime the script error is (http://gamesweaseltv.mevio.com/?utm...85_21983&utm_source=088aebc&utm_medium=088aeb) but mevio is the main site.

also my internet explorer fav are still missing. but my files are viewable. I did a system restore to 3 days ago to see if that windows recovery virus would go away but somehow it still left a few of its friends in my computer.

Remmeber the system restore for the date 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel that you had aske me did not work.

.

 

[Bobbye]

I try very hard to anticipate what a user might see and tell them how to deal with it:

# Uncheck (untick) Hide protected operating system files (Recommended).
# Click Yes when prompted.

I would hardly send you to do something that would hurt the system.
=====================================
Bad decision:

I did a system restore to 3 days ago to see if that windows recovery virus would go away but somehow it still left a few of its friends in my computer.

I choose that one particular restore date for a reason.
=====================================
Bottom line: If you want me to help clean the malware off of the system, you should only run what I instruct you to run and you should follow my directions explicitly. If you are going to do that, I will continue support. If not, I'll close the thread.

 

[comphelp79]

below is the combofix log I did on 3/31.Still waiting on your instruction, since the system restore you wanted for 3/31 did not work. so I could not follow the instructio that follows. my interternet fav are missing and each time I google or yahoo search something I keep getiing redirected. took me 3 try to get to techspot forum.

ComboFix 11-03-31.01 - Owner 03/31/2011 19:29:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.644 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Desktop\Windows Repair.lnk
c:\documents and settings\Owner\Start Menu\Programs\Windows Repair
c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Windows Repair.lnk
c:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-31 21:55 . 2011-03-31 21:55 -------- d-----w- c:\program files\ESET
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-03-30 21:37 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 05:33 . 2011-03-30 05:33 -------- d-----w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-06 23:46 . 2011-01-27 03:50 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-02-06 23:46 . 2011-01-27 03:50 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-02-02 07:58 . 2009-04-30 22:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-04-30 22:56 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=c:\windows\pss\AudioDeck.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^On-Line Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\On-Line Registration.lnk
backup=c:\windows\pss\On-Line Registration.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD Help.lnk
backup=c:\windows\pss\PowerDVD Help.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD.lnk
backup=c:\windows\pss\PowerDVD.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Readme.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Readme.lnk
backup=c:\windows\pss\Readme.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^System Diagnostic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\System Diagnostic.lnk
backup=c:\windows\pss\System Diagnostic.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall PowerDVD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall PowerDVD.lnk
backup=c:\windows\pss\Uninstall PowerDVD.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1273802316\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 5:19 PM 135664]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [4/30/2009 7:51 PM 3351]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
.
2011-03-31 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-03-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1580436667-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-03-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1580436667-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-tyc7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} - hxxps://bp.cfdfl.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 19:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-31 19:34:46
ComboFix-quarantined-files.txt 2011-03-31 23:34
.
Pre-Run: 49,358,909,440 bytes free
Post-Run: 49,814,859,776 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0777B035FD3A4153F4D74AFF65E25A24

 

[Bobbye]

We need to get on the same page here:

Regarding the restore Point I asked you to use: You first said:

The system restore did work for RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel. I tried it 2x.

Then, several replies later you said:

the system restore you wanted for 3/31 did not work.

Regarding hidden files and folders:
I gave you the following only to advise you that you did not need to run the program you did in order to show these files. It was for information only- not meant for you to do it then. And the directions clearly state for you to confirm Yes but you didn't read that. Instead leaving the following comment:

"Uncheck (untick) Hide protected operating system files (Recommended)"
I follow everything you said even though it stated that deleting or editing will make my system unaporable.

We never got you system clean before someone else got on it and added to the problems. That meant essentially that we had to start over. So here's what you need to do:
1. Update and rescan with Malwarebytem.
2. Uninstall, then download fresh Combofix and do a new scan.
3. Give me a good description of the system problems now

Nothing else.
Leave new logs for Mbam and Combofix in your next reply.
I do not want any old logs.

 

[comphelp79]

Miscommunication

Hi Bobbye,
Sorry for all the confusing post. the Restore Point: RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel-- that did not work. Sorry if I put the wrong date. That's what I meant on my prev.post.

What I did wrong was a different system restore to this past Thursday 4/14/11 to get rid of windows restore virus. This Virus deleted my IE fav, redirected my google sarch and left a IE script error on my PC that will not go away.This is what has been hapening so far.

The log for malbytemalware and combo fix is posted on another post.

 

[comphelp79]

The log is too long so I have to break it into 3 post.

ComboFix 11-04-16.03 - Owner 04/17/2011 12:42:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.640 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\WINDOWS
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 01:38 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-17 01:38 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-17 01:38 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-17 01:38 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-17 01:38 . 2011-04-17 01:38 -------- d-----w- c:\program files\Avira
2011-04-17 01:38 . 2011-04-17 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-17 01:29 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-16 06:20 . 2011-04-16 06:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-13 02:59 . 2011-04-13 03:12 -------- d-----w- c:\program files\BearShare Applications
2011-04-13 02:33 . 2011-04-13 02:44 -------- d-----w- c:\program files\FrostWire
2011-04-13 01:13 . 2011-04-17 00:42 -------- d-----w- c:\program files\iMesh Applications
2011-04-13 01:12 . 2011-04-13 01:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-04-12 03:14 . 2011-04-17 01:38 -------- d-----w- c:\program files\CA
2011-04-12 03:05 . 2011-04-12 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2011-03-31 21:55 . 2011-03-31 21:55 -------- d-----w- c:\program files\ESET
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 21:37 . 2011-04-17 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 05:33 . 2011-04-16 06:20 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-12 03:17 . 2011-01-27 03:50 95568 ----a-w- c:\windows\system32\vetredir.dll
2011-04-12 03:17 . 2011-01-27 03:50 128336 ----a-w- c:\windows\system32\isafeif.dll
2011-03-07 05:33 . 2009-04-30 22:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2006-02-28 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2006-02-28 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2006-02-28 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-05-04 00:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2006-02-28 12:00 389120 ------w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-04-30 22:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-04-30 22:56 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.