Inactive Desktop background and files/folder trouble

[Bobbye]

The symptoms you describe are typical of the Rogue Windows Repair and it cousin, Rogue.ErrorFix. You will find the description and screen shots here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-repair

You have to be really careful when you search for the malware because most of the sites you will see, are rated RED by the WOT Site Advisor- meaning it has unreliability.

There are at least 2 malware programs affecting the system by making it appear there are no programs, or that you are locked out and various other false alerts. The scam is to get you to click on a site to "fix" the error, which actually doesn't exist.

Windows Repair is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer. It is installed via Trojans that display false error messages and security warnings on the infected computer. will be configured to start automatically when you login to Windows.

Once started, the program begins the fake security warnings. The "defragment tool" it will state that it needs to run in Safe Mode and then show a fake Safe Mode background that pretends to defrag your computer.

When opening folders, such as C:\Windows\System32\ or various drive letters, instead of seeing the normal list of files it will instead display a different folder's contents or make it appear as if the folder is empty.

Windows Repair also attempts to make it so you cannot run any programs on your computer
Source: Bleeping Computer

The bottom line is that there are fake alerts. What you do to respond to these usually compounds the problem. Just understand the the alerts and error are false.
========================================
Before I go any further with script for Combofix, I'd like for you to update and do a new scan with Malwarebytes. But this should be a Full Scan instead of the Quick Scan you did originally. Note: The update is to add any new entries from the database. That program should find some of the entries
=======================================
Follow with Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[Jinai]

Here is the HJT Log (I also have the Malwarebytes scan log, do you want that also?):

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 04:38:19, on 16/04/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
D:\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?rd=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\system32\skype4com.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware (AAWService) - Unknown owner - c:\progra~1\lavasoft\ad-ware\aawser~1.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6896 bytes

 

[Bobbye]

(I also have the Malwarebytes scan log, do you want that also?):

Yes

 

[Jinai]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6371

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

16/04/2011 04:31:05
mbam-log-2011-04-16 (04-31-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 393427
Time elapsed: 1 hour(s), 43 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Jinai\AppData\Roaming\thinstall\program data\40000013a000002i\illustrator.exe (Trojan.IRCBot) -> Quarantined and deleted successfully.

 

[Bobbye]

The new Mbam scan found another malware entry: HTTP Trojan IRCBot The programdata was done with Thinstall which is currently named VMware ThinApp. You may have used this for "application virtualization and portable application creator" that can package conventional applications so that they become portable applications.

Unfortunately the data came with the malware (Trojan.IRCBot) and since this app is used for portable apps, it means that if you used a flash drive or other portable app, it will need to be disinfected. While Mbam found and removed an entry, there may be other entries. About this malware:

W32.IRCBot is a detection for worms that spread using Internet Relay Chat (IRC). The IRC connection serves as a back door, allowing an attacker to perform a variety of actions on the compromised computer. An attacker usually gathers a large number of computers infected with W32.IRCBot worms and uses them as a bot network, controlled through IRC.

The use of IRC separates threats from their traditional back door and worm counterparts in that the hacker does not issue commands directly to the back door. Rather they are routed through the IRC server and channel, and then on to the compromised computer. Without the IRC server or channel, the attacker is unable to control the compromised computer.
Damage

• Payload: Opens a back door and connects to an IRC server.
• Releases Confidential Info: May steal information from the computer.
• Compromises Security Settings: May bypass firewalls.[/b]

Source: Symantec

So you need to understand that while this entry may be removed, the computer may already have been compromised. You should change all of your passwords and monitor any online financial activity closely.
=========================================
Please update and rescan with the Eset Online scanner> Remember> the update is to add any new entries to the database, not change the version.

 

[Jinai]

I see. What happens next?

Edit: Sorry, didn't see the buttom sentence.

 

[Jinai]

Eset Nod32 Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-31 01:40:19
# local_time=2011-03-31 02:40:19 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 33791278 33791278 0 0
# compatibility_mode=1797 16775165 100 94 127851 38064565 0 0
# compatibility_mode=5892 16776573 100 100 126305 139060744 0 0
# compatibility_mode=7937 16777214 0 50 127852 16921410 0 0
# compatibility_mode=8192 67108863 100 0 105 105 0 0
# scanned=243100
# found=4
# cleaned=0
# scan_time=7602
C:\Users\Jinai\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53ACIHYQ\fb01fd[1].pdf JS/Exploit.Pdfka.ORP.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Jinai\AppData\Local\Temp\plugtmp-1\plugin-lib.php JS/Exploit.Pdfka.OSV.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Jinai\Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Jinai\Downloads\Sony.Vegas.Pro.8+DVD.Architect.4.5.NO.KEYGEN\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED\Keygen.exe a variant of Win32/Keygen.AR application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-03 03:46:41
# local_time=2011-04-03 04:46:41 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 34101508 34101508 0 0
# compatibility_mode=1797 16775165 100 94 438081 38374795 496196 0
# compatibility_mode=5892 16776573 100 100 161315 139370974 0 0
# compatibility_mode=7937 16777214 0 50 438082 17231640 0 0
# compatibility_mode=8192 67108863 100 0 310335 310335 0 0
# scanned=240474
# found=2
# cleaned=2
# scan_time=7354
C:\Users\Jinai\Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Jinai\Downloads\Sony.Vegas.Pro.8+DVD.Architect.4.5.NO.KEYGEN\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED\Keygen.exe a variant of Win32/Keygen.AR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-18 05:35:40
# local_time=2011-04-18 06:35:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 35403236 35403236 0 0
# compatibility_mode=1797 16775165 100 94 1739809 39676523 1797924 0
# compatibility_mode=5892 16776573 100 100 1463043 140672702 0 0
# compatibility_mode=7937 16777214 0 50 1739810 18533368 0 0
# compatibility_mode=8192 67108863 100 0 1612063 1612063 0 0
# scanned=232200
# found=2
# cleaned=2
# scan_time=8165
C:\Users\Jinai\AppData\Local\qno.exe a variant of Win32/Kryptik.MSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Jinai\AppData\Local\Mozilla\Firefox\Profiles\hqyixclv.default\Cache\9\1F\4206Dd01 JS/Exploit.Pdfka.OTW.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

 

[Jinai]

While i was running the scan, another rogue anti virus program popped up. It was called Vista Anti Virus 2011.

Guess that means more trouble?

 

[Bobbye]

Please read the directions I give you. The Eset scan clearly says this:

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

I see this latest scan say cleaned by deleting - quarantined This means that you checked for removal. There is a very good reason why we tell you not to> we use a program to remove the entries that will also clean associated files. I'm going to set all these entries up, again, then you run the Eset online scan again with "remove found threats' unchecked

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\Users\Jinai\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53ACIHYQ\fb01fd[1].pdf 
  C:\Users\Jinai\AppData\Local\Temp\plugtmp-1\plugin-lib.php 
  C:\Users\Jinai\Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe 
  C:\Users\Jinai\Downloads\Sony.Vegas.Pro.8+DVD.Architect.4.5.NO.KEYGEN\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED\Keygen.exe 
  C:\Users\Jinai\AppData\Local\qno.exe 
  C:\Users\Jinai\AppData\Local\Mozilla\Firefox\Profiles\hqyixclv.default\Cach e\9\1F\4206Dd01 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
None of the entries above are indicating they were removed correctly.
=====================================
When you have finished running OTM:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  There are three options on this window to clear the cache.Check all.
• . Delete Files
• .View Applications
• .View Applets
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
======================================
When you have finished both of the above, Reboot the computer.
=====================================
Now go back and update and run a new scan with the Esey Online Virus scanner.
=====================================
Follow that with this Security Check

Download Security Check by screen317 from HERE or HERE .

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================
We need to find out why you are still getting new malware, but I also have to know that the previous entries have been removed correctly.

Summary:
1. Run OTM with all of the previous Eset entries.
2. Clear the Java cache which contains some malware entries.
3. Reboot the computer.
4. Update and rescan with the Eset online scanner, without a check to remove entries.
5. Run the Security Check

Please leave logs in your next reply.

 

[Jinai]

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Apologies, in your previous post you didn't specifiy whether I should delete it or not, I just assumed you wanted me to delete it after the scan. I'll keep that in mind from now on.

 

[Bobbye]

I continue to encourage you to read the directions carefully, as directions may not be the same for all programs:

Eset Online Virus scan:

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

We don't do this to confuse you! And some forums might want you to have Eset remove the entries within the program. But these entries and additional files can be better removed in the OTM program.

Malwarebytes:

Be sure that everything is checked, and click Remove Selected.

This is the first 'cleaning' scan we have you run. We want it to find malware entries and we want it to remove all of them because it will include files, folders, registry and possibly memory entries. And there are times when a system is so infected that some cleaning programs won't run until some of the malware is removed.

 

[Jinai]

Thank you. Here is the OTMoveit Log:

All processes killed
========== FILES ==========
File/Folder C:\Users\Jinai\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53ACIHYQ\fb01fd[1].pdf not found.
File/Folder C:\Users\Jinai\AppData\Local\Temp\plugtmp-1\plugin-lib.php not found.
File/Folder C:\Users\Jinai\Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe not found.
File/Folder C:\Users\Jinai\Downloads\Sony.Vegas.Pro.8+DVD.Architect.4.5.NO.KEYGEN\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED\Keygen.exe not found.
File/Folder C:\Users\Jinai\AppData\Local\qno.exe not found.
File/Folder C:\Users\Jinai\AppData\Local\Mozilla\Firefox\Profiles\hqyixclv.default\Cach e\9\1F\4206Dd01 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jinai
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 240166 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 33218030 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 936 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Update
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3986228 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 36.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 04212011_162555

 

[Jinai]

Eset Scanner Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-31 01:40:19
# local_time=2011-03-31 02:40:19 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 33791278 33791278 0 0
# compatibility_mode=1797 16775165 100 94 127851 38064565 0 0
# compatibility_mode=5892 16776573 100 100 126305 139060744 0 0
# compatibility_mode=7937 16777214 0 50 127852 16921410 0 0
# compatibility_mode=8192 67108863 100 0 105 105 0 0
# scanned=243100
# found=4
# cleaned=0
# scan_time=7602
C:\Users\Jinai\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53ACIHYQ\fb01fd[1].pdf JS/Exploit.Pdfka.ORP.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Jinai\AppData\Local\Temp\plugtmp-1\plugin-lib.php JS/Exploit.Pdfka.OSV.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Jinai\Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Jinai\Downloads\Sony.Vegas.Pro.8+DVD.Architect.4.5.NO.KEYGEN\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED\Keygen.exe a variant of Win32/Keygen.AR application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-03 03:46:41
# local_time=2011-04-03 04:46:41 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 34101508 34101508 0 0
# compatibility_mode=1797 16775165 100 94 438081 38374795 496196 0
# compatibility_mode=5892 16776573 100 100 161315 139370974 0 0
# compatibility_mode=7937 16777214 0 50 438082 17231640 0 0
# compatibility_mode=8192 67108863 100 0 310335 310335 0 0
# scanned=240474
# found=2
# cleaned=2
# scan_time=7354
C:\Users\Jinai\Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Jinai\Downloads\Sony.Vegas.Pro.8+DVD.Architect.4.5.NO.KEYGEN\Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED\Keygen.exe a variant of Win32/Keygen.AR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-18 05:35:40
# local_time=2011-04-18 06:35:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 35403236 35403236 0 0
# compatibility_mode=1797 16775165 100 94 1739809 39676523 1797924 0
# compatibility_mode=5892 16776573 100 100 1463043 140672702 0 0
# compatibility_mode=7937 16777214 0 50 1739810 18533368 0 0
# compatibility_mode=8192 67108863 100 0 1612063 1612063 0 0
# scanned=232200
# found=2
# cleaned=2
# scan_time=8165
C:\Users\Jinai\AppData\Local\qno.exe a variant of Win32/Kryptik.MSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Jinai\AppData\Local\Mozilla\Firefox\Profiles\hqyixclv.default\Cache\9\1F\4206Dd01 JS/Exploit.Pdfka.OTW.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=3c59c4ec42b11e4b8ed994fee809d4a9
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-21 05:45:40
# local_time=2011-04-21 06:45:40 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 35665063 35665063 0 0
# compatibility_mode=1797 16775165 100 94 2001636 39938350 2059751 0
# compatibility_mode=5892 16776574 66 100 260466 140934529 0 0
# compatibility_mode=7937 16777214 0 50 2001637 18795195 0 0
# compatibility_mode=8192 67108863 100 0 1873890 1873890 0 0
# scanned=231703
# found=0
# cleaned=0
# scan_time=6139

 

[Jinai]

Finally the Checkup.txt Log:

Results of screen317's Security Check version 0.99.10
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Norton 360
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Java(TM) 6 Update 24
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.4
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````

 

[Bobbye]

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Norton 360

If you are running Norton 360, it has an atibirus program, firewall and antimalware program>>>>
Disable the Windows Firewall
Uninstall Avira

Uninstall all of these: All of these outdated programs are vulnerabilities on the system.
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Adobe Reader 8.1.4

Update Adobe: Visit this Adobe Reader site

Do any of the original malware-related problem remain? If yes, what?

 

[Jinai]

I have removed the things you told me to and unfortunately the original malware-related problems still remain; my desktop background is still overlapped with a black background, my files on the system is still "hidden" (now thats real impressive).

Besides that, nothing.

 

[Bobbye]

Okay, I'm note sure at all that you are having a problem due to malware.

The following is what concerns me:[/b]

.......Then I went onto the "Deletemalware" blog to see if the solutions for the rogue program's other family members would help (because they are very similar), followed a lot of the steps #1(such as "regedit" businesses)..........Booted my laptop into normal mode and then found some more problems - desktop background turned black, and #2 most system files hijacked, #3 cannot access start programs (I can see my files are on the system). ..........#4....Fortunately I can access my computer and task manager to do stuffs.

1. Did you backup the Registry before making the changes? What changes did you make?
2. How do you mean the 'system files are hijacked?' Be specific.
3. How are you trying to access these Start Programs? From where? What happens.
4. Originally you couldn't access the Task Manager, but at some point, that changed.

Tell me specifically about the desktop> What does show, what is the back section over, is there any writing on the black part.

Tell me specifically about the 'hidden' files.' If they're hidden, how can you 'see' them?

And a "For your information":
HijackThis scan was done on Scan saved at 01:04:47, on 28/03/2011

You have 3 Restore Points set:
RP1037: 28/03/2011 18:05:46 - Windows Update (6:05 PM)
RP1038: 28/03/2011 19:35:33 - Removed YVD (7:35 PM)
RP1039: 29/03/2011 13:27:04 - Windows Update (1:27 AM)

Unfortunately, since the HJT scan was run at 1:04 AM on 3/28, you were already having problems but have no restore point set to go back to- possibly undoing whatever damage you did trying to fix the problem! (Yes! This is a big hint to make you aware of having restore point set on the system!)

YVD allows you to play Free Flash Online Games. Both game sites and flash are high sources of malware. I had to tell someone last night that their system couldn't be cleaned because they had a Ramnit malware infection. The most likely source according to the infected entries? Games from Steam.

And one more FYI: Don't follow malware removal directions that seemed to work for someone else without benefit of a helper who knows what they're doing!

 

[Jinai]

Sorry for not being able to reply, my internet has been down for the past few days.

To answer your questions:

1. Unfortunately no, I didn't backup my registry (was a bad, bad mistake I found out after I did what I did)

2. By hijacked I think I ment the system files were rendered hidden from their original state (which was not hidden)

3. Start programs are all gone (except for the ones I pinned to the start menu), when I press "All Programs", nothings there. So If I was to access say firefox, I would have to go onto the search bar and type in "firefox.exe", then it runs.

4. Yes, that changed along the lines.

 

[Bobbye]

The rogue program you had originally was Windows Repair Combofix removed some entries. As I explained to you, the Programs really were there and any error reports you were getting were false.

I don't know what changes you made in the Registry. The system might not be recoverable. If you have the CD for the operating system, you can try using the System File Checker:

Have your Windows Vista installation CD ready, so that you can it insert it if you are prompted to do so.

• Go to the Start menu and click on Run. In the blank field there, type this command:
  
  

  sfc /scannow ( sfc if not recognized) (Note that there is a space between sfc and /scannow)

• Click on OK or press Enter.
• Follow any instructions on the screen.
• SFC will close when finished.
• Reboot the computer.

See if this works.

 

[Bobbye]

Closed due to inactivity.