Solved "System Check" malware - infected. Recovered... but I'm still crippled!

M

mark118

Posts: 21   +0
Hello all,

I'm battling an issue... and I've hit a brick wall.

Last night I was infected with a nasty little malware "system check". I was bombarded with error msgs. such as Files Indexation Process Failed, Windows – Delayed Write Failed and many more. In addition, all my desktop icons, files and shortcuts dissapeared. All program folders in my start menu were gone, and task manager was even disabled. The only program open, was one that popped up "System check" disguised as a windows application in which seemed to detect my new issue, and offer a solution, should I pay for and download the upgraded version of the program. Does anyone actually fall for this crap?

Anyway, I managed to get task manager back, and manually opened Malwarebytes. It seems to have removed the malware, as all of the error msgs are gone. After much research, I found 3 things to get me back to normal: RKill, UnHide, and TDSsKiller.

Here is where I need help:
1.
My desktop shortcuts and icons seem to be back and functional. The program folders are back in my start menu...but all the folders are empty?! I can open programs through desktop shortcuts and opeing files. Is there something I can download and run that will fix that? I've seen posts about combofix, but many warn not to run it unsupervised as it may do more harm than good. Plus, it doesn't sound like it is applicable to my issue.

2.
Malwarebytes seems to have removed the bug, but there is stil a desktop shortcut, quick launch icon and a program folder in the start menu(ofcourse, the only program folder not reading empty). I ran malware bytes again, Spybot seek and destroy and did a full scan with Avast and nothing comes up. I know I could simply delete this items... but is their presence a sign that Im not completely rid of this monster? Is it laying dormant waiting to pop up again?


If anyone knows what Im going through and could help.... I would be VERY greatfull!

Thank you
Mark
 
Welcome aboard
yahooo.gif


We need to check if your computer is really clean first.
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
some issues here

I followed the instructions exactly.

Below is my malwarebytes and dds logs....
GMER produced no log... (blank)


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.03

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 8.0.6001.19088
Mark :: THEGUNSHOW [administrator]

1/12/2012 2:57:50 PM
mbam-log-2012-01-12 (14-57-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181681
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19088
Run by Mark at 15:24:14 on 2012-01-12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.5995 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
C:\PROGRA~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\splwow64.exe
C:\PROGRA~2\MICROS~1\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
mWinlogon: Userinit=userinit.exe,
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: xmradio.com\player
Trusted Zone: xmradio.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A22470FE-C567-4958-9D55-53AFAD0C300A} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBit1.dll
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
mRun-x64: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
mRun-x64: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-2-18 42184]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-9-2 206120]
R2 SqueezeMySQL;SqueezeMySQL;C:\PROGRA~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=C:\PROGRA~3\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> C:\PROGRA~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=C:\PROGRA~3\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-9-2 185640]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-5-28 1038088]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-30 93184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2012-01-12 19:53:00 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{488BF783-72C0-4406-A1B6-28DB6907F568}\offreg.dll
2012-01-12 14:11:52 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-01-12 14:11:52 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-01-12 01:59:31 -------- d-----w- C:\sh4ldr
2012-01-12 01:59:31 -------- d-----w- C:\Program Files\Enigma Software Group
2012-01-12 01:58:44 -------- d-----w- C:\Windows\89A072791DB3485AB1DF584DF86774B9.TMP
2012-01-10 06:36:57 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{488BF783-72C0-4406-A1B6-28DB6907F568}\mpengine.dll
2011-12-26 13:36:35 -------- d-----w- C:\Program Files\iPod
2011-12-26 13:36:34 -------- d-----w- C:\Program Files\iTunes
2011-12-26 13:32:26 -------- d-----w- C:\Program Files\Bonjour
2011-12-26 13:32:26 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-12-15 13:04:28 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
==================== Find3M ====================
.
2009-05-03 17:52:52 74737 ----a-w- C:\Program Files (x86)\Uninstal.exe
.
============= FINISH: 15:35:08.12 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/3/2009 9:23:55 AM
System Uptime: 1/12/2012 2:52:37 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5Q SE PLUS
Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | LGA775 | 3003/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 197.231 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9.3.4 - CPSID_83708
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 6.0.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Software Update
AutoCAD 2008 - English
avast! Free Antivirus
BitTorrent
BitTorrentBar Toolbar
BufferChm
c7200_Help
CDDRV_Installer
Connect
Copy
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DNA
DocProc
DocProcQFolder
EPU-4 Engine
eSupportQFolder
Express Gate
F.E.A.R. 2: Project Origin
Fax
FEAR Perseus Mandate
GoToMyPC
Half-Life 2
Half-Life 2 Deathmatch Create Server Mod
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Officejet 6500 E710n-z Help
HP Photosmart Essential2.01
HP Smart Web Printing
HP Update
HPProductAssistant
HPSSupply
I.R.I.S. OCR
J2SE Runtime Environment 5.0
*******_3D_screensaver1
kuler
Logitech SetPoint
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft Corporation
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
nCleaner second 2.3.4.0
NVIDIA PhysX v8.09.04
Octoshape add-in for Adobe Flash Player
OpenAL
Pandora
PanoStandAlone
PDF Settings CS4
Photoshop Camera Raw
Platform
Portal
Print Screen Deluxe
PSSWCORE
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 4.2
SolutionCenter
SpeedFan (remove only)
Spotify
Squeezebox Server 7.5.3
Status
Steam
Suite Shared Configuration CS4
TrayApp
UnloadSupport
Unreal Tournament 3: Black Edition
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Verizon Download Manager
VIA Platform Device Manager
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vz In Home Agent
WinRAR archiver
WModem Driver Installer
.
==== Event Viewer Messages From Past Week ========
.
1/12/2012 8:36:23 AM, Error: disk [11] - The driver detected a controller error on \Device\Harddisk0\DR0.
1/12/2012 3:16:04 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer DANAS-COMPUTER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A22470FE-C567-4958-9D55-53AFAD0C300A}. The master browser is stopping or an election is being forced.
1/12/2012 12:03:31 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
1/12/2012 12:03:31 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the GoToMyPC service to connect.
1/12/2012 12:03:31 PM, Error: Service Control Manager [7000] - The MSCamSvc service failed to start due to the following error: The system cannot find the path specified.
1/12/2012 12:03:31 PM, Error: Service Control Manager [7000] - The GoToMyPC service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

Thank you VERY much for your time......
 
If you ran any temporary files cleaner since the infection started UnHide won't be able to get your shortcuts back.
You'll have to restore them manually.
See my guide here: http://www.smartestcomputing.us.com...tart-menu-and-files-hiddendeleted-by-a-virus/
Scroll down to "Method 3 - manual".

================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
thank you

I saw early on on some threads not to touch the temp folder, so I didn't. Infact, at the begining, I couldn't even access my temp folder.

When you say I'll have to do it manually, do you mean the files in my programs folder, in the start menu? All folders are present, but when I click on them, they read (empty).

I'll follow your instructions regarding aswmbr and bootkit remover later tonight or tommorow and post what I find.


Thank you for your time.

Mark
 
All folders are present, but when I click on them, they read (empty).
Click to expand...
There is a section at my link what to do in that situation.

You may want to wait with that until we're done with running some more tools.
 
problem

I downloaded aswmbr to my desk top. when I double click on it, nothing opens. I clicked on your link and clicked run instead of save, and still, nothing opens. Do I have to disable my avast first?
 
bootkit remover

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
001), 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
interesting discovery

I went to google, and did a search on Rootkit to learn more about this problem....

Every link I click on, in regards to rootkit... i get redirected to a junk website. Right as it goes to open the intended page... Explorer redirects. Something definatly has a hold of my PC. :(
 
list parts

ListParts by Farbar
Ran by Mark on 13-01-2012 at 08:16:33
Windows Vista (X64)
Running From: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9SPQBHA
************************************************************

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 8190.12 MB
Available physical RAM: 5436.91 MB
Total Pagefile: 16547.27 MB
Available Pagefile: 13798.7 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:465.76 GB) (Free:198.56 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 466 GB 1024 KB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 466 GB Healthy System (partition with boot components)



****** End Of Log ******
 
Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
OK any security prompts.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
 
Ok, did it. That was fast. My re-direct issue seems to be resolved.

Is there anything else I have to do?


Do you recomend any software to better help prevent this from happening? Malware bytes is good, but didn't detect the issue.

Thank you again.
 
We're definitely not done.
Good news though.

Post fresh Bootkit Remover log.

Then....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Big problem!

I ran comboxfix..... it scanned... and at the end made two deletions... one appeared to be the system check malware.. or the directory it was stored in.

The other was a folder I titled media, which had everything i owned in it! In the Folder 'Media'... was all my music... all of my pictures including my wedding picture, my daughters birth etc.....

That folder is gone... why would combo fix do this? I sat while it was scanning and saw that it scanning that directory, but just thought it was scanning all directories for signs of any problems.

Can you help?
 
log

Here is the log... I cut out some of the middle section that just contained my music files.... it was a mile long...... all required info should be there...

ComboFix 12-01-13.03 - Mark 01/13/2012 15:05:03.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6401 [GMT -5:00]
Running from: C:\Users\Mark\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\ProgramData\iKk7sAFBa0IoHD
C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
C:\Users\Mark\Desktop\System Check.lnk
C:\Users\Mark\Media
C:\Users\Mark\Media\Music\desktop.ini
C:\Users\Mark\Media\Music\iTunes Music\(Police)\Unknown Album\Sending Out an SOS.mp3
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\desktop.ini
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\04 Like The Weather.mp3
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\AlbumArt_{9A54E70A-8ADC-4DC2-BCD3-E9588CAB2599}_Large.jpg
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\AlbumArt_{9A54E70A-8ADC-4DC2-BCD3-E9588CAB2599}_Small.jpg
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\AlbumArtSmall.jpg
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\desktop.ini
C:\Users\Mark\Media\Music\iTunes Music\10,000 Maniacs\Sounds Of The Eighties - The Rolling Sto\Folder.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\311\01 Down.mp3
C:\Users\Mark\Media\Music\iTunes Music\311\311\08 Purpose.mp3
C:\Users\Mark\Media\Music\iTunes Music\311\311\09 Loco.mp3
C:\Users\Mark\Media\Music\iTunes Music\311\311\11 Don't Stay Home.mp3
C:\Users\Mark\Media\Music\iTunes Music\311\311\13 Sweet.mp3
C:\Users\Mark\Media\Music\iTunes Music\311\311\AlbumArt_{B6143C56-1314-4DEB-957E-3EC875C77F4B}_Large.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\311\AlbumArt_{B6143C56-1314-4DEB-957E-3EC875C77F4B}_Small.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\311\AlbumArtSmall.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\311\desktop.ini
C:\Users\Mark\Media\Music\iTunes Music\311\311\Folder.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\03 You Wouldn't Believe.mp3
C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\AlbumArt_{6B0F1373-0D27-4272-9DF0-EC4C8C8A5D4F}_Large.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\AlbumArt_{6B0F1373-0D27-4272-9DF0-EC4C8C8A5D4F}_Small.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\AlbumArtSmall.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\desktop.ini
C:\Users\Mark\Media\Music\iTunes Music\311\Chaos\Folder.jpg
C:\Users\Mark\Media\Music\iTunes Music\311\desktop.ini
C:\Users\Mark\Media\Music\iTunes Music\311\evolver\01 Creatures (For a While).mp3

-----
C:\Windows\system32\AutoRun.inf
C:\Windows\system32\gotomon.log


((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))


2012-01-13 20:37:27 . 2012-01-13 20:37:28 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\offreg.dll
2012-01-13 20:35:51 . 2012-01-13 20:39:40 -------- d-----w- C:\Users\Mark\AppData\Local\temp
2012-01-13 20:35:51 . 2012-01-13 20:35:51 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-01-13 07:28:10 . 2011-11-21 11:40:38 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\mpengine.dll
2012-01-12 14:11:52 . 2012-01-12 19:52:49 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-01-12 14:11:52 . 2012-01-12 19:51:19 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-01-12 01:59:31 . 2012-01-12 18:27:40 -------- d-----w- C:\sh4ldr
2012-01-12 01:59:31 . 2012-01-12 01:59:31 -------- d-----w- C:\Program Files\Enigma Software Group
2012-01-12 01:58:44 . 2012-01-12 18:27:37 -------- d-----w- C:\Windows\89A072791DB3485AB1DF584DF86774B9.TMP
2011-12-26 13:36:35 . 2011-12-26 13:36:35 -------- d-----w- C:\Program Files\iPod
2011-12-26 13:36:34 . 2011-12-26 13:37:15 -------- d-----w- C:\Program Files\iTunes
2011-12-26 13:32:26 . 2011-12-26 13:32:27 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-12-26 13:32:26 . 2011-12-26 13:32:26 -------- d-----w- C:\Program Files\Bonjour
2011-12-26 13:29:58 . 2011-12-26 13:29:58 -------- d-----w- C:\Program Files (x86)\Apple Software Update
2011-12-15 13:04:28 . 2011-12-15 13:04:28 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-05-03 17:52:52 . 2009-05-03 17:52:52 74737 ----a-w- C:\Program Files (x86)\Uninstal.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-30 14:51:18 3911776 ----a-w- C:\Program Files (x86)\BitTorrentBar\tbBit1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "C:\Program Files (x86)\BitTorrentBar\tbBit1.dll" [2010-12-30 14:51:18 3911776]

[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 02:47:57 1555968]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:51:33 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2008-09-16 14:32:54 17601536]
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"GrooveMonitor"="C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 04:25:58 59240]
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 06:36:42 421736]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2011-2-19 1041920]
Squeezebox Server Tray Tool.lnk - C:\Program Files (x86)\Squeezebox\SqueezeTray.exe [2011-2-6 2351191]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WS2IFSL

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Contents of the 'Scheduled Tasks' folder

2012-01-13 C:\Windows\Tasks\User_Feed_Synchronization-{BCD208F4-7D0F-4A27-9114-A79A3EC47B7A}.job
- C:\Windows\system32\msfeedssync.exe [2011-06-16 08:35:02 . 2011-05-28 04:32:15]


--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04:07 134384 ----a-w- C:\Program Files\Alwil Software\Avast5\ashShA64.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc64.dll" [2008-10-07 05:33:00 724512]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-10-07 05:33:00 15934496]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-10-07 05:33:00 82464]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 20:34:50 134416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.cnn.com/
mLocal Page = C:\Windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: xmradio.com\player
Trusted Zone: xmradio.com\www
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-WMPNSCFG - C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-Windows Defender - C:\Program Files (x86)\Windows Defender\MSASCui.exe
 
No worries.
We can recover that folder easily.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
DEQUARANTINE::
C:\Qoobox\Quarantine\C\Users\Mark\Media
QUIT::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. DeQuarantine.txt log will appear.
 
Still deleted

Files are still gone... below is the log file. It lookslike for some reason it tried to delete the folder again. (under other deletions)

ComboFix 12-01-13.03 - Mark 01/13/2012 16:11:45.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.8190.6174 [GMT -5:00]
Running from: c:\users\Mark\Desktop\ComboFix.exe
Command switches used :: c:\users\Mark\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\20252d6e001ae3774b425e81ba09b666\Fcntl.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\2076671ee5d0a5323570c92c74abac6f\Process.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\23ae7fb85999872530b5a5d4d67a4f44\Registry.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\23fe5d76b9491fa255db2281ac7687d5\Service.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\2d2847f7dd2a1fddd0fdb79d9d64ba93\List.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\6a834a555edd63cb8706466e7c1666f2\Hostname.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\7020d50af327e3fc94b98242c307fc81\Cwd.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\7dd16cc839f33995d1a58e2773aa29b8\WinError.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\855297e7b4b860331fdbdd53426f5e15\Dumper.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\86351894c58e4804ca004825fea78bbb\Encode.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\a7c0cce4e1ac2c1f6d3e71bbe3c9bdd3\Socket.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\b7b4505cb0a127c242f14d779e410e03\POSIX.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\c3da4aa4c02db51c7f94d5eaf2438023\OLE.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\f48694173221cfa9bad4275e2389b498\Win32.dll
c:\users\Mark\AppData\Local\Temp\pdk-Mark-3144\perl510.dll
c:\users\Mark\Media
c:\users\Mark\Media\Music\desktop.ini
c:\users\Mark\Media\Music\Sample Music.lnk
c:\users\Mark\Media\Pictures\desktop.ini
c:\users\Mark\Media\Pictures\Sample Pictures.lnk
c:\users\Mark\Media\Videos\desktop.ini
c:\users\Mark\Media\Videos\Sample Videos.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-13 21:21 . 2012-01-13 21:23 -------- d-----w- c:\users\Mark\AppData\Local\Temp
2012-01-13 21:21 . 2012-01-13 21:21 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\offreg.dll
2012-01-13 21:20 . 2012-01-13 21:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-13 07:28 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{57E7CF3A-5BF5-46D1-9B71-6B82253E160E}\mpengine.dll
2012-01-12 14:11 . 2012-01-12 19:52 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-01-12 14:11 . 2012-01-12 19:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-01-12 01:59 . 2012-01-12 18:27 -------- d-----w- C:\sh4ldr
2012-01-12 01:59 . 2012-01-12 01:59 -------- d-----w- c:\program files\Enigma Software Group
2012-01-12 01:58 . 2012-01-12 18:27 -------- d-----w- c:\windows\89A072791DB3485AB1DF584DF86774B9.TMP
2011-12-26 13:36 . 2011-12-26 13:36 -------- d-----w- c:\program files\iPod
2011-12-26 13:36 . 2011-12-26 13:37 -------- d-----w- c:\program files\iTunes
2011-12-26 13:32 . 2011-12-26 13:32 -------- d-----w- c:\program files (x86)\Bonjour
2011-12-26 13:32 . 2011-12-26 13:32 -------- d-----w- c:\program files\Bonjour
2011-12-26 13:29 . 2011-12-26 13:29 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-15 13:04 . 2011-12-15 13:04 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 17:52 . 2009-05-03 17:52 74737 ----a-w- c:\program files (x86)\Uninstal.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-13_20.38.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2012-01-13 20:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-01-13 21:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-01-13 20:38 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-13 21:22 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-13 21:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-01-13 20:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-01-13 21:24 62090 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-01-13 21:24 75212 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-03 01:39 . 2012-01-13 21:24 13944 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3867335980-3509603360-33153671-1000_UserData.bin
+ 2010-02-22 22:37 . 2012-01-13 21:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-22 22:37 . 2012-01-12 22:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-22 22:37 . 2012-01-12 22:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-22 22:37 . 2012-01-13 21:00 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-22 22:37 . 2012-01-12 22:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-22 22:37 . 2012-01-13 21:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-07 23:05 . 2012-01-12 12:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-07 23:05 . 2012-01-13 20:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-07 23:05 . 2012-01-12 12:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-07 23:05 . 2012-01-13 20:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-13 20:37 . 2012-01-13 20:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-13 21:21 . 2012-01-13 21:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-13 20:37 . 2012-01-13 20:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-13 21:21 . 2012-01-13 21:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 12:46 . 2012-01-13 17:40 607168 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-01-13 20:45 607168 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-01-13 17:40 104808 c:\windows\system32\perfc009.dat
+ 2006-11-02 12:46 . 2012-01-13 20:45 104808 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-30 14:51 3911776 ----a-w- c:\program files (x86)\BitTorrentBar\tbBit1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\tbBit1.dll" [2010-12-30 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2008-09-16 17601536]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-2-19 1041920]
Squeezebox Server Tray Tool.lnk - c:\program files (x86)\Squeezebox\SqueezeTray.exe [2011-2-6 2351191]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\User_Feed_Synchronization-{BCD208F4-7D0F-4A27-9114-A79A3EC47B7A}.job
- c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc64.dll" [2008-10-07 724512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 15934496]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 82464]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 134416]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.cnn.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: xmradio.com\player
Trusted Zone: xmradio.com\www
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\ASUS\EPU-4 Engine\FourEngine.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe
c:\progra~2\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe
c:\program files\Logitech\SetPoint\x86\SetPoint32.exe
.
**************************************************************************
.
Completion time: 2012-01-13 16:32:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-13 21:32
ComboFix2.txt 2012-01-13 20:49
.
Pre-Run: 217,487,691,776 bytes free
Post-Run: 217,953,648,640 bytes free
.
- - End Of File - - 82D5CCB5152F7ADF0C0E836D670AB088
 
Please pay attention.
You didn't create script I posted in my previous reply.
Redo.

When DeQuarantine.txt log is created do NOT run Combofix anymore.
 
I will do it again. I did exactly as instructed before, copy and pasted the given code int notpad, saved it as CFScript.txt and drag and droppped onto the icon... and the Combofix ran again.



I will do it again and let you know.
 
looks like it worked

The last time i did it, the DeQuarantine.txt came up, and all my files were back. Thank you very much.

Is there anything else I have to do?
 
Yes.

First of all....how is computer doing?

Then....

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
You must log in or register to reply here.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
474
eriksnyman1
E
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
E
Another day, another FBI takedown of routers infected by malware
Replies
7
Views
219
p51d007
p51d007

Latest posts

Back