TechSpot

Wipe out all programs

Solved
By comphelp79
Mar 30, 2011
Topic Status:
Not open for further replies.
  1. I have a similar problem like this guy

    "After frustration with some web search hijacking, I learned about "Hijack This". I loaded it and ran it. When it came back with 3 pages of problems, I did a dumb thing - and fixed them all. The only change I could see is that the desktop background stays standard XP blue. I have tried to change it (right click on desktop and properties - desktop) but it doesn't allow any of the options there to activate other than color. "

    for me not only is my destktop background not working. I manage to completely remove all my programs.when I click on start menu and then 'all programs' to my horor it is empty. when I ran the "Hijack This" program, I though I only fix the ones that stated " O4 - HKLM\..\Run: [Brong32] TorontoMail.exe. in safe mode under administrator and under my user name and when I reboot all progam was empty and I could not do the system restore to bring everything back. Eveything is gone-- microsoft office, itune, adobe, realplayer-- everything!! :(

    From this guy above forum you had given him a link http://www.techspot.com/vb/topic58138.html Trojan Pakes and other nasties preliminary removal instructions--- and to follow all the instructions. I started with step 1 and I realize the forum was back in 2006. What can I do to restore evrything back? Should I continue to follow the steps. Please help!!! I also attach "a Hijack This" log
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You will find several places in the stickies above that tell you not to follow directions for malware cleaning given to someone else. We do not use HijackThis to 'screen' for malware. There is a possibility that you have malware from the Rogue Error Fix. One of it's actions is to show all programs missing in order to get you to click on a site to 'fix' the problem.

    Please advise me if you are a member of Facebook.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    as instructed

    Bobbye here are the logs per step 6 instruction. I am a member of facebook my username is [Name deleted for privacy] please let me know what I need to do next to restore all my files and programs :)

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6220

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    3/30/2011 5:49:12 PM
    mbam-log-2011-03-30 (17-49-12).txt

    Scan type: Quick scan
    Objects scanned: 158862
    Time elapsed: 7 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\19717940.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\pxxpekijomnaxjk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    -----------------------------------------------------------------------------------------------------

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-03-30 18:10:39
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-1b MDT_MD800AB-00CBA1 rev.04.07B04
    Running: n2rst5oq.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwddyfob.sys


    ---- Threads - GMER 1.0.15 ----

    Thread System [4:132] 85CFBE84
    Thread System [4:136] 85CFE084

    ---- EOF - GMER 1.0.15 ----

    ------------------------------------------------------------------------------------------------

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/30/2009 7:02:26 PM
    System Uptime: 3/30/2011 6:07:27 PM (0 hours ago)
    .
    Motherboard: | | MS-7139
    Processor: AMD Athlon(tm) 64 Processor 4000+ | Socket 939 | 2399/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 45.726 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: System Interrupt Controller
    Device ID: PCI\VEN_1106&DEV_5336&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
    Manufacturer:
    Name: System Interrupt Controller
    PNP Device ID: PCI\VEN_1106&DEV_5336&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
    Service:
    .
    ==== System Restore Points ===================
    .
    RP177: 1/26/2011 10:41:35 PM - Removed Norton SystemWorks 2002
    RP178: 1/26/2011 10:48:43 PM - CA Internet Security Suite
    RP179: 1/29/2011 9:18:50 AM - System Checkpoint
    RP180: 1/30/2011 3:24:49 PM - System Checkpoint
    RP181: 2/3/2011 8:53:18 PM - System Checkpoint
    RP182: 2/6/2011 6:53:35 PM - System Checkpoint
    RP183: 2/9/2011 10:00:34 PM - System Checkpoint
    RP184: 2/10/2011 12:50:54 AM - Software Distribution Service 3.0
    RP185: 2/12/2011 10:05:44 AM - System Checkpoint
    RP186: 2/13/2011 3:08:10 PM - System Checkpoint
    RP187: 2/16/2011 7:31:45 PM - System Checkpoint
    RP188: 2/18/2011 7:13:17 PM - System Checkpoint
    RP189: 2/19/2011 7:58:51 PM - System Checkpoint
    RP190: 2/21/2011 5:12:53 PM - System Checkpoint
    RP191: 3/1/2011 8:11:13 PM - System Checkpoint
    RP192: 3/6/2011 1:00:46 PM - System Checkpoint
    RP193: 3/8/2011 10:03:00 PM - System Checkpoint
    RP194: 3/9/2011 12:37:43 AM - Software Distribution Service 3.0
    RP195: 3/10/2011 10:20:14 PM - System Checkpoint
    RP196: 3/11/2011 9:44:08 AM - Software Distribution Service 3.0
    RP197: 3/12/2011 5:52:32 PM - System Checkpoint
    RP198: 3/13/2011 8:32:04 PM - System Checkpoint
    RP199: 3/15/2011 10:19:23 PM - System Checkpoint
    RP200: 3/17/2011 4:00:01 PM - Software Distribution Service 3.0
    RP201: 3/19/2011 10:46:31 AM - System Checkpoint
    RP202: 3/22/2011 7:11:34 PM - System Checkpoint
    RP203: 3/23/2011 8:19:19 PM - System Checkpoint
    RP204: 3/23/2011 10:18:51 PM - Software Distribution Service 3.0
    RP205: 3/27/2011 12:48:42 PM - System Checkpoint
    RP206: 3/28/2011 8:51:19 PM - System Checkpoint
    RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel
    .
    ==== Installed Programs ======================
    .
    "Nero SoundTrax Help
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Adobe Shockwave Player 11.5
    Advertising Center
    Agere Systems PCI Soft Modem
    AMRT
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Auslogics BoostSpeed
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    BufferChm
    CA Anti-Virus Plus
    CA Internet Security Suite
    Compatibility Pack for the 2007 Office system
    Copy
    CustomerResearchQFolder
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DivX Setup
    DJ_AIO_03_F4200_ProductContext
    DJ_AIO_03_F4200_Software
    DJ_AIO_03_F4200_Software_Min
    DolbyFiles
    Download Updater (AOL LLC)
    DVD Decrypter (Remove Only)
    Elecard MPEG-2 Decoder&Streaming Plug-in for WMP
    eSupportQFolder
    F4200
    F4200_Help
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPBaseService
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 11.0
    HP Deskjet F4200 All-In-One Driver Software 11.0 Rel .3
    HP Imaging Device Functions 11.0
    HP Solution Center 11.0
    HP Update
    HPProductAssistant
    ImagXpress
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    LiveReg (Symantec Corporation)
    LiveUpdate 1.6 (Symantec Corporation)
    Malwarebytes' Anti-Malware
    MarketResearch
    Menu Templates - Starter Kit
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Movie Templates - Starter Kit
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 9
    Nero Burning ROM Help
    Nero BurnRights
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero Disc Copy Gadget
    Nero Disc Copy Gadget Help
    Nero DiscSpeed
    Nero DriveSpeed
    Nero Express Help
    Nero InfoTool
    Nero Installer
    Nero Live
    Nero Live Help
    Nero PhotoSnap
    Nero PhotoSnap Help
    Nero Recode
    Nero Recode Help
    Nero Rescue Agent
    Nero RescueAgent Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero WaveEditor
    Nero WaveEditor Help
    NeroBurningROM
    NeroExpress
    NeroLiveGadget
    NeroLiveGadget Help
    neroxml
    OGA Notifier 2.0.0048.0
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Respondus LockDown Browser
    Safari
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SolutionCenter
    SoundTrax
    Status
    Symantec WinFax Basic Edition
    Toolbox
    TrayApp
    Uninstall AOL Emergency Connect Utility 1.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB960763)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VIA Audio Driver Setup Program
    VIA/S3G Display Driver 6.14.10.0071
    Viewpoint Media Player
    WebFldrs XP
    WebReg
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player Hotfix [See Q828026 for more information]
    Windows XP Service Pack 3
    Yahoo! Install Manager
    Yahoo! Search Protection
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/30/2011 6:08:57 PM, error: System Error [1003] - Error code 0000007a, parameter1 c07b9f00, parameter2 c000000e, parameter3 f73e050c, parameter4 250a1860.
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CAISafe service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CaCCProvSP service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CAAMSvc service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The CA Common Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:38 PM, error: Service Control Manager [7031] - The Nero BackItUp Scheduler 4.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
    3/30/2011 5:26:38 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/30/2011 5:26:37 PM, error: Service Control Manager [7034] - The HIPS Policy Manager service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:37 PM, error: Service Control Manager [7034] - The HIPS Event Manager service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 5:26:37 PM, error: Service Control Manager [7034] - The HIPS Configuration Interpreter service terminated unexpectedly. It has done this 1 time(s).
    3/30/2011 3:04:49 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    3/30/2011 3:04:49 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    3/30/2011 3:04:49 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    3/30/2011 1:35:10 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips KmxAgent KmxStart Processor
    3/30/2011 1:34:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/30/2011 1:33:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxPol with arguments "-Service" in order to run the server: {4C89C3FD-5F94-4678-BBB5-F64759C3C54A}
    3/28/2011 6:06:17 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    3/27/2011 6:54:13 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 85acd3f8, parameter3 85acd56c, parameter4 805c8d78.
    3/27/2011 6:54:07 PM, error: System Error [1003] - Error code 00000077, parameter1 c000000e, parameter2 c000000e, parameter3 00000000, parameter4 00af1000.
    .
    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- I didn't mean to ask for you name. I'm going to delete the name for your privacy. Please see the thread I posted a few days ago:http://www.techspot.com/vb/topic162959.html
    =====================================
    You have multiple antivirus programs loading:
    Avira AntiVir Personal - Free Antivirus> To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.
    CA Anti-Virus Plus
    CA Internet Security Suite > Removal Tools
    LiveReg (Symantec Corporation) >Norton Removal Tool
    LiveUpdate 1.6 (Symantec Corporation)

    You should only run one antivirus program and one firewall. Please remove any of the above to get down to that. I have included removal tools to help. The multiple AV programs actually make the system more vulnerable. Please reboot the computer when through.
    =====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  5. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    awesome

    Thank you very much Bobbye :grinthumb. I follow your instruciton and everything is back YAY!!! I will never again attempt to clean a virus without proper knowledge.:eek:. Is there anything else I need to do? :)

    Here's the log Run Eset NOD32

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=60f54571e990b54ead06e2dc9ac10891
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-31 11:00:37
    # local_time=2011-03-31 07:00:37 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=55712
    # found=1
    # cleaned=0
    # scan_time=3602
    C:\Documents and Settings\Owner\Application Data\Auslogics\Rescue\One Button Checkup\090508233518609.rsc Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
    can not get scanner. e_gle=1001
    DLL:pipe not connected. attempts=120
    can not get scanner. e_gle=1001
    DLL:pipe not connected. attempts=120
    can not get scanner. e_gle=1001
    DLL:pipe not connected. attempts=120
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I am concerned about the text t the end of the Eset log. Before I do anything with that entry, I'd like for you to run a different online virus scan to compare:
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
    ===========================================
    I tried to identify the app data where you got the adware using different combinations of Auslogics\Rescue\One Button Checkup\090508233518609.rsc but I could not. I also looked at the installed programs and don't see anything related there. I found a Norton One Button Checkup but not Auslogics.

    The Askbar is frequently pre checked on some download screens, so you should always look to see if anything is checked before downloading.

    Edit: Have you run Combofix yet? Log?
     
  7. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    I Just moved to a new place I have not install my computer yet, I'm using my cousin computer currently. when I set up my computer I will run the Kaspersky online scan and post the log. Thanks. I should have the result by this weekend.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay. Post when ready.
     
  9. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    sorry, Kaspersky Online Scanner would not scan properly. I took a screen shot of the error message, but I had to post it in an attachment. please tell me what I did wrong.
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry, but it's not safe for me to open a .doc file.

    Please update and run the Eset scan again. I also need the Combofix log.
     
  11. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    This is the error Message when I ran the Kaspersky Online Scanner :

    "Update has failed the program could not be started. Please close the window of Kaspersky online scanner 7.0 start the pogram again from the web site of kapersky Lab.
    Succesfully updating of Kaspersky online scanner 7.0 and scanning of your computer requires uninterupted internet connection. Please make sure that the internet onnection is established {Error: License has expired}"

    here's the combofix log

    ComboFix 11-03-31.01 - Owner 03/31/2011 19:29:08.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.644 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\Desktop\Windows Repair.lnk
    c:\documents and settings\Owner\Start Menu\Programs\Windows Repair
    c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
    c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Windows Repair.lnk
    c:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-31 21:55 . 2011-03-31 21:55 -------- d-----w- c:\program files\ESET
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2011-03-30 21:37 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-30 05:33 . 2011-03-30 05:33 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-06 23:46 . 2011-01-27 03:50 95568 ----a-w- c:\windows\system32\vetredir.dll
    2011-02-06 23:46 . 2011-01-27 03:50 128336 ----a-w- c:\windows\system32\isafeif.dll
    2011-02-02 07:58 . 2009-04-30 22:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-04-30 22:56 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
    backup=c:\windows\pss\AudioDeck.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^On-Line Registration.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\On-Line Registration.lnk
    backup=c:\windows\pss\On-Line Registration.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD Help.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD Help.lnk
    backup=c:\windows\pss\PowerDVD Help.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD.lnk
    backup=c:\windows\pss\PowerDVD.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Readme.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Readme.lnk
    backup=c:\windows\pss\Readme.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^System Diagnostic.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\System Diagnostic.lnk
    backup=c:\windows\pss\System Diagnostic.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall PowerDVD.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall PowerDVD.lnk
    backup=c:\windows\pss\Uninstall PowerDVD.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\aol\\1273802316\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\AOL 9.5\\waol.exe"=
    "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 5:19 PM 135664]
    S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [4/30/2009 7:51 PM 3351]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    .
    2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
    .
    2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
    .
    2011-03-31 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    2011-03-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1580436667-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-03-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1580436667-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fptb-tyc7
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} - hxxps://bp.cfdfl.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-31 19:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-31 19:34:46
    ComboFix-quarantined-files.txt 2011-03-31 23:34
    .
    Pre-Run: 49,358,909,440 bytes free
    Post-Run: 49,814,859,776 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 0777B035FD3A4153F4D74AFF65E25A24
     
     
  12. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    aaahhhggg!!!

    My cousin watched adult movie online on my computer and got a virius and now we are back to square one. :( I won't to hit something :blackeye:

    I try run combofix but since I alreay download it last time, it would not let me. Is the Windows Restore part of combofix? it try to do diagnostic test and I stop it since I was not sure which program it was.
    Bobbye, Please tell what I need to do restore all my files and programs. and to prevent any more of this shananagan from happening. My computer keep rebooting and it is very annoying. :mad:
     
  13. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    Sorry for all the post :)

    I ran the Malwarebytes Anti Malmare and remove the windows restore Trojan virus and I also ran unhide.ex to unhide my files and programs. :) Below is the log from the Malwarebytes. Bobbye how can I make sure windows restore virus is completely gone from my pc?


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6320

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    4/9/2011 1:49:51 PM
    mbam-log-2011-04-09 (13-49-51).txt

    Scan type: Quick scan
    Objects scanned: 160208
    Time elapsed: 6 minute(s), 53 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 3
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    c:\documents and settings\all users\application data\tfhewclbgi.exe (Trojan.FakeAlert) -> 1820 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfHEwclbGi (Trojan.FakeAlert) -> Value: tfHEwclbGi -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\Owner\start menu\Programs\windows restore (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\all users\application data\tfhewclbgi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\start menu\Programs\windows restore\uninstall windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\start menu\Programs\windows restore\windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There is a line in my first reply> it's in red for a reason:
    ================================================
    Doing a System Restore from a Command line:
    Boot into Safe Mode
    1. Restart your computer and start pressing the F8 key on your keyboard.
    2. Use the arrow keys to select the Safe Mode with a Command prompt option.> press Enter.
    3. If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.
    4. Log on as an administrator or with an account that has administrator credentials.
    5. At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.
    6. Follow the instructions that appear on the screen to restore your computer to a functional state.
    7. You ran HijackThis on Scan saved at 2:00:04 AM, on 3/30/2011
      [o]Choose this Restore Point: RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel
    Reboot the computer into Normal Mode when through
    ==========================================
    Uninstall the HijackThis program and delete the log. You saved the log to a temp folder instead of the directory on the C drive, so it did not make any backups.
    ============================================
    Repeat this scan: Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    The programs I have you run aren't random. They are given to you at a specific time for a specific reason. I asked you to run the Eset Online Virus scan again because I'm not sure whether the connection to the site was lost or whether some other problem came up.
    ================================================
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    ===============================================
    Download a new copy of Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    Paste the new Eset scan and Combofix log in your next reply.
    ========================================
    1. Please do not do anything else.
    2. Don't run any other scans. Don't delete anything unless instruct you to
    3. Keep you cousin away from the computer. Tell him if it goes on it again he will have to pay a tech to fix the computer> think about $300.00
     
  15. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    Sorry :(

    The system restore did work for RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel. I tried it 2x.

    I'm sorry Bobbye--The programs that I ran to get rid of the "windows restore virus" was Malbytes Malware and I ran unhide.ex -- nothing else I swear.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you get the programs back okay?

    About this: Mbam handles these entries. I got the impression from your comments that you had done additional removals for these files:
    c:\documents and settings\Owner\start menu\Programs\windows restore\uninstall windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\start menu\Programs\windows restore\windows restore.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    Tell me what this is: unhide.ex
     
  17. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    After that ***** cousin of my messed up my computer, Windows restore Virus was installed and it keep rebooting my computer. So I ran malwarebytes anti-malware one of the program you told me to download when you were first helping me. I ran unhide exe because all my fiIes, internet favorites and progams were "empty' hiden-- so unhide.exe made them visible again. I posted the log for you to view.

    It seems my PC is vulnerable to trojan virus-- even with Avira antivirus and malware. Any suggestion?
     
  18. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    ok. so I'm was not as clever as I thought. another Virus!! this time MS removal tool hack my computer and will not let me run malbytes antimalware or avivra to clean it.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You don't need to run a program to view hidden files & folders:
    Show Hidden Folders/Files
    • Open My Computer.
      [*] Go to Tools > Folder Options.
      [*] Select the View tab.
      [*] Scroll down to Hidden files and folders.
      [*] Select Show hidden files and folders.
      [*] Uncheck (untick) Hide extensions of known file types.
      [*] Uncheck (untick) Hide protected operating system files (Recommended).
      [*] Click Yes when prompted.
      [*] Click OK.
      [*] Close My Computer.

    Rehide the files and folders.
    =============================================
    Please focus only on what I am instructing you to do. If Mbam found this malware and quarantined and deleted it, you did not have to take any further action at that point.
    Your programs were not missing! The Rogue.ErrorFix hid them to make you think they were gone and you had to use their program to fix the 'error.'
    ===============================================
    Reply #14:
    ========================================
    Repeating:
     
  20. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    Hi Bobbye, I have not use my computer in a whlle so I just read your post.

    "Uncheck (untick) Hide protected operating system files (Recommended)"
    I follow everything you said even though it stated that deleting or editing will make my system unaporable.

    anyway, I still have a long way to go to finish cleaning my system thanks to my cousin. I still have that pesky windows recovery virus still in my PC. Now I have an internet sript error where I hear comercials or radio annoucement in the backgound sometime the script error is (http://gamesweaseltv.mevio.com/?utm...85_21983&utm_source=088aebc&utm_medium=088aeb) but mevio is the main site.

    also my internet explorer fav are still missing. but my files are viewable. I did a system restore to 3 days ago to see if that windows recovery virus would go away but somehow it still left a few of its friends in my computer.

    Remmeber the system restore for the date 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel that you had aske me did not work.

    .
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I try very hard to anticipate what a user might see and tell them how to deal with it:

    I would hardly send you to do something that would hurt the system.
    =====================================
    Bad decision:
    I choose that one particular restore date for a reason.
    =====================================
    Bottom line: If you want me to help clean the malware off of the system, you should only run what I instruct you to run and you should follow my directions explicitly. If you are going to do that, I will continue support. If not, I'll close the thread.
     
  22. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    below is the combofix log I did on 3/31.Still waiting on your instruction, since the system restore you wanted for 3/31 did not work. so I could not follow the instructio that follows. my interternet fav are missing and each time I google or yahoo search something I keep getiing redirected. took me 3 try to get to techspot forum.

    ComboFix 11-03-31.01 - Owner 03/31/2011 19:29:08.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.644 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\Desktop\Windows Repair.lnk
    c:\documents and settings\Owner\Start Menu\Programs\Windows Repair
    c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
    c:\documents and settings\Owner\Start Menu\Programs\Windows Repair\Windows Repair.lnk
    c:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-31 21:55 . 2011-03-31 21:55 -------- d-----w- c:\program files\ESET
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2011-03-30 21:37 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-30 05:33 . 2011-03-30 05:33 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-06 23:46 . 2011-01-27 03:50 95568 ----a-w- c:\windows\system32\vetredir.dll
    2011-02-06 23:46 . 2011-01-27 03:50 128336 ----a-w- c:\windows\system32\isafeif.dll
    2011-02-02 07:58 . 2009-04-30 22:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-04-30 22:56 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
    backup=c:\windows\pss\AudioDeck.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^On-Line Registration.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\On-Line Registration.lnk
    backup=c:\windows\pss\On-Line Registration.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD Help.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD Help.lnk
    backup=c:\windows\pss\PowerDVD Help.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerDVD.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerDVD.lnk
    backup=c:\windows\pss\PowerDVD.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Readme.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Readme.lnk
    backup=c:\windows\pss\Readme.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^System Diagnostic.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\System Diagnostic.lnk
    backup=c:\windows\pss\System Diagnostic.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall PowerDVD.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall PowerDVD.lnk
    backup=c:\windows\pss\Uninstall PowerDVD.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\aol\\1273802316\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\AOL 9.5\\waol.exe"=
    "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 5:19 PM 135664]
    S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [4/30/2009 7:51 PM 3351]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    .
    2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
    .
    2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 21:19]
    .
    2011-03-31 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    2011-03-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1580436667-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-03-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1580436667-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fptb-tyc7
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    DPF: {06D59DC6-5304-432D-A1CE-67E531410F9F} - hxxps://bp.cfdfl.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-31 19:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-31 19:34:46
    ComboFix-quarantined-files.txt 2011-03-31 23:34
    .
    Pre-Run: 49,358,909,440 bytes free
    Post-Run: 49,814,859,776 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 0777B035FD3A4153F4D74AFF65E25A24
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    We need to get on the same page here:

    Regarding the restore Point I asked you to use: You first said:
    Then, several replies later you said:
    Regarding hidden files and folders:
    I gave you the following only to advise you that you did not need to run the program you did in order to show these files. It was for information only- not meant for you to do it then. And the directions clearly state for you to confirm Yes but you didn't read that. Instead leaving the following comment:
    We never got you system clean before someone else got on it and added to the problems. That meant essentially that we had to start over. So here's what you need to do:
    1. Update and rescan with Malwarebytem.
    2. Uninstall, then download fresh Combofix and do a new scan.
    3. Give me a good description of the system problems now

    Nothing else.
    Leave new logs for Mbam and Combofix in your next reply.
    I do not want any old logs.
     
  24. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    Miscommunication

    Hi Bobbye,
    Sorry for all the confusing post. the Restore Point: RP207: 3/30/2011 1:23:16 AM - Removed MobileMe Control Panel-- that did not work. Sorry if I put the wrong date. That's what I meant on my prev.post.

    What I did wrong was a different system restore to this past Thursday 4/14/11 to get rid of windows restore virus. This Virus deleted my IE fav, redirected my google sarch and left a IE script error on my PC that will not go away.This is what has been hapening so far.

    The log for malbytemalware and combo fix is posted on another post.
     
  25. comphelp79

    comphelp79 TS Rookie Topic Starter Posts: 33

    The log is too long so I have to break it into 3 post.

    ComboFix 11-04-16.03 - Owner 04/17/2011 12:42:24.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.640 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\WINDOWS
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-17 01:38 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-04-17 01:38 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-04-17 01:38 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-04-17 01:38 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-04-17 01:38 . 2011-04-17 01:38 -------- d-----w- c:\program files\Avira
    2011-04-17 01:38 . 2011-04-17 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-04-17 01:29 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-16 06:20 . 2011-04-16 06:20 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-13 02:59 . 2011-04-13 03:12 -------- d-----w- c:\program files\BearShare Applications
    2011-04-13 02:33 . 2011-04-13 02:44 -------- d-----w- c:\program files\FrostWire
    2011-04-13 01:13 . 2011-04-17 00:42 -------- d-----w- c:\program files\iMesh Applications
    2011-04-13 01:12 . 2011-04-13 01:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
    2011-04-12 03:14 . 2011-04-17 01:38 -------- d-----w- c:\program files\CA
    2011-04-12 03:05 . 2011-04-12 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
    2011-03-31 21:55 . 2011-03-31 21:55 -------- d-----w- c:\program files\ESET
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2011-03-30 21:37 . 2011-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-30 21:37 . 2011-04-17 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-30 05:33 . 2011-04-16 06:20 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-12 03:17 . 2011-01-27 03:50 95568 ----a-w- c:\windows\system32\vetredir.dll
    2011-04-12 03:17 . 2011-01-27 03:50 128336 ----a-w- c:\windows\system32\isafeif.dll
    2011-03-07 05:33 . 2009-04-30 22:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:45 . 2006-02-28 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-17 19:00 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-02-17 19:00 . 2006-02-28 12:00 78336 ------w- c:\windows\system32\ieencode.dll
    2011-02-17 19:00 . 2006-02-28 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-17 19:00 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
    2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2009-05-04 00:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-17 11:44 . 2006-02-28 12:00 389120 ------w- c:\windows\system32\html.iec
    2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 07:58 . 2009-04-30 22:56 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-04-30 22:56 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    .
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.