Solved PUM.Hijack.StartMenu & black desktop w/userfiles missing

[Broni]

The icons were desktop items

If so, they're just shortcuts. You can easily create new ones.
Click Start, right click on My Computer/My Documents then "Send to">Desktop.

=============================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
  O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
  O18:64bit: - Protocol\Handler\ipp - No CLSID value found
  O18:64bit: - Protocol\Handler\ipp\0x00000001 - No CLSID value found
  O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
  O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
  O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
  O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
  O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

==========================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[all at sea]

All processes killed ========== OTL ========== Registry value HKEY_USERS\S-1-5-21-1318639389-2330378091-3496585167-1000\Software\Microsoft\Windows\CurrentVersion\Run\\WMPNSCFG deleted successfully. Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5} C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully. File Protocol\Handler\ipp - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\0x00000001\ not found. File Protocol\Handler\ipp\0x00000001 - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully. File Protocol\Handler\msdaipp - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\0x00000001\ not found. File Protocol\Handler\msdaipp\0x00000001 - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\oledb\ not found. File Protocol\Handler\msdaipp\oledb - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully. File Protocol\Handler\ms-help - No CLSID value found not found. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully. File Protocol\Handler\ms-itss - No CLSID value found not found. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: jason ->Temp folder emptied: 634 bytes ->Temporary Internet Files folder emptied: 494017095 bytes ->Java cache emptied: 20598 bytes ->FireFox cache emptied: 71221170 bytes ->Flash cache emptied: 32739 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 792 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 539.00 mb [EMPTYJAVA] User: All Users User: Default User: Default User User: jason ->Java cache emptied: 0 bytes User: Public Total Java Files Cleaned = 0.00 mb [EMPTYFLASH] User: All Users User: Default User: Default User User: jason ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.42.1 log created on 04262012_215822 Files\Folders moved on Reboot... File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTCNNEMC\desktop.ini scheduled to be moved on reboot. File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFGFZ1Y3\desktop.ini scheduled to be moved on reboot. File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L4A1H7KR\desktop.ini scheduled to be moved on reboot. File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7DFJ6BKQ\desktop.ini scheduled to be moved on reboot. File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot. File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot. Registry entries deleted on Reboot...

 

[all at sea]

Results of screen317's Security Check version 0.99.24 Windows Vista x64 (UAC is enabled) Out of date service pack!! Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira Free Antivirus [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Java(TM) 6 Update 31 Mozilla Firefox (3.5.9) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe ``````````End of Log````````````

 

[all at sea]

Farbar Service Scanner Version: 24-04-2012 Ran by jason (administrator) on 26-04-2012 at 22:13:10 Running from "C:\Users\jason\Desktop" Microsoft® Windows Vista™ Home Premium Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Yahoo IP is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. File Check: ======== C:\Windows\System32\nsisvc.dll [2008-01-21 03:49] - [2008-01-21 03:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcsvc.dll [2008-01-21 03:50] - [2008-01-21 03:50] - 0268288 ____A (Microsoft Corporation) FDAA0EDFCFB70CD529589AD654651B40 C:\Windows\System32\drivers\afd.sys [2008-01-21 03:48] - [2008-01-21 03:48] - 0408064 ____A (Microsoft Corporation) DB37041AB857ABC7E179E856D8E1582C C:\Windows\System32\drivers\tdx.sys [2008-01-21 03:49] - [2008-01-21 03:49] - 0094208 ____A (Microsoft Corporation) 8C39C72E0E853DE04748C0337D9B9216 C:\Windows\System32\Drivers\tcpip.sys [2009-01-12 18:37] - [2008-04-26 09:55] - 1421368 ____A (Microsoft Corporation) 8E041924441FF8755E5B4F135C8C3767 C:\Windows\System32\dnsrslvr.dll [2008-01-21 03:48] - [2008-01-21 03:48] - 0117760 ____A (Microsoft Corporation) 93CE26DBED3182634F18DD2FE10E41BE C:\Windows\System32\mpssvc.dll [2008-01-21 03:49] - [2008-01-21 03:49] - 0601088 ____A (Microsoft Corporation) 8A670648C755867A3AA38DA50BA569AA C:\Windows\System32\bfe.dll [2008-01-21 03:50] - [2008-01-21 03:50] - 0458240 ____A (Microsoft Corporation) BC4737AAFFA5964E4F8827C9B8C0EB8E C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll [2008-01-21 03:47] - [2008-01-21 03:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018 C:\Windows\System32\vssvc.exe [2008-01-21 03:50] - [2008-01-21 03:50] - 1432576 ____A (Microsoft Corporation) 186BD53F8A408AD20F5A056C05678629 C:\Windows\System32\wscsvc.dll [2008-01-21 03:47] - [2008-01-21 03:47] - 0074752 ____A (Microsoft Corporation) CB8EA6D95949384925CCFCA21CC6DFD8 C:\Windows\System32\wbem\WMIsvc.dll [2008-01-21 03:50] - [2008-01-21 03:50] - 0221696 ____A (Microsoft Corporation) AC98F38FEAB066A8F983D54FF3F4FD4C C:\Windows\System32\wuaueng.dll [2011-11-11 15:02] - [2009-08-07 03:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D C:\Windows\System32\qmgr.dll [2008-01-21 03:50] - [2008-01-21 03:50] - 1082368 ____A (Microsoft Corporation) D896A0D43F8AB81ECB1FC6C24DECFD58 C:\Windows\System32\es.dll [2008-09-09 13:03] - [2008-09-09 13:03] - 0361984 ____A (Microsoft Corporation) 6B1A97BF9FEFBDC83F3C7C7D0F826C66 C:\Windows\System32\cryptsvc.dll [2008-01-21 03:49] - [2008-01-21 03:49] - 0165376 ____A (Microsoft Corporation) 4374F784121D8B3BB466B03F5E5EBD33 C:\Program Files\Windows Defender\MpSvc.dll [2008-01-21 03:47] - [2008-01-21 03:47] - 0383544 ____A (Microsoft Corporation) 7D2A43E8FDF725A1133F6C6056A72CDC C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll [2008-01-21 03:51] - [2008-01-21 03:51] - 0713728 ____A (Microsoft Corporation) FF27BE0BA7B3C48D5C99AFCB56D436C2 **** End of log ****

 

[all at sea]

C:\Qoobox\Quarantine\C\ProgramData\LHWmcRqHquM.exe.vir a variant of Win32/Kryptik.AETL trojan cleaned by deleting - quarantined

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current (including Service Pack 2 installation and upgrading Internet Explorer to version 9!!!)

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[all at sea]

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jason
->Temp folder emptied: 98830 bytes
->Temporary Internet Files folder emptied: 10043929 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4373 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: jason
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: jason
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.42.1 log created on 04272012_100102
Files\Folders moved on Reboot...
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QTCNNEMC\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFGFZ1Y3\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L4A1H7KR\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7DFJ6BKQ\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.
Registry entries deleted on Reboot...

 

[all at sea]

Good morning Broni,
Am I definitely clean? PC seems to be running normally, although the trojan found by ESET was an unpleasant surprise, as behaviour already seemed normal.

With regard to Vista Service Pack 2, is it safe? I read on the internet that a lot of people attempting to update Vista to Service Pack 2 experienced a complete loss of data . I also read that Service Pack 2 made very little improvement to Vista (we have a saying in the UK that "you can't polish a turd"!). What do you think?

I haven't been able to get a My Computer icon onto the desktop. With My Documents it was simply a case of right clicking another My Documents icon and sending to desktop, but where can I find a My Computer icon to right click on?

 

[all at sea]

PS.
Is it safe to delete the MBR.Dat file on the desktop?

 

[Broni]

although the trojan found by ESET was an unpleasant surprise

That was a file already in Combofix quarantine folder.

You must keep Windows up to date. It's not about improvement but about security. SP2 is perfectly fine to install.

You can delete MBR.dat file.

where can I find a My Computer icon to right click on?

Click on Start button and "Computer" should be listed in right pane.

 

[all at sea]

Click on Start button and "Computer" should be listed in right pane.

It doesn't seem to be. However, it's not important. I can get to My Computer via My Documents.

Thank you so much for taking the trouble to save my data again - 440 Gigs would be an awful lot to lose, and would likely leave me in . I keep meaning to back it all up, but I don't have an external HD, and 440 Gigs is an awful lot of DVDRs!

Thanks again to you and your colleagues here on the board; you've given yet another bug the Techspot treatment

 

[Broni]

If "Computer" is not there....again...
See my manual here: http://www.smartestcomputing.us.com/topic/49859-missing-items-from-main-start-menu-window-fix/

Way to go!!

Good luck and stay safe