----------------------
----------------------
To any future readers, I did do all instructions as asked as everyone else seeking assistance should. But, since all experienced will be different and it is bad to delete anything without guidance or follow anyone else's instructions, I have deleted my logs as the information won't help anyone else but me.
Original thread starts below:
----------------------
----------------------
I got the Vista Recovery Console pop up last night. It told me things like I was out of memory and my ram was too hot, both lies, and how would it know the temperature? Ha. It also hid everything in my user folder, removed all desktop icons, emptied the quicklaunch menu and start menu. I could still get to all programs via the computer folder.
---------------
I ran CCCleaner (which I had previously) to see what my startup programs were and the following stuck out:
HKCU:Run yiMjvSkpKyOa C:\ProgramData\yiMjvSkpKyOa.exe
----------------
I disabled the startup and deleted the file from a CMD prompt. I later found a shortcut named "Vista Recovery Console" on my desktop with that file listed on my desktop after I'd restored the icons and deleted what I found in MalwareBytes.
First I tried to run a Windows Security Essentials scan, found nothing. Also tried AVG, fail. Finally downloaded MalwareBytes and found the following:
------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6669
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
5/24/2011 10:50:49 PM
mbam-log-2011-05-24 (22-50-49).txt
Scan type: Quick scan
Objects scanned: 172738
Time elapsed: 5 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\programdata\43507448.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\TheUser\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\TheUser\AppData\Local\Temp\jar_cache2389963931054689550.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\TheUser\AppData\Local\Temp\ldr8d60.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
----------------------
I removed all of the files from malwarebytes as well as some unknown file types named 43507448, ~43507448 and ~43507448r from CMD prompt
I also went into the CMD prompt and ran the attrib function unhide all files and folders. Being Vista, and not run as Adminstrator, I got a lot of "denied". That made it so I could see all my icons and everything in my user folder again. I had to start over for my quicklaunch icons, but that wasn't bad.
---------------
Today, I found this forum and I ran the other scans required:
GMER, I downloaded from the main, multiple times, while not connected to the internet and having the other antivirus turned off. I also only had notepad open (to see the instructions) and I keep getting a blank log. Recommendations to get that log?
DDS logs previously attached for diagnosis
----------------------
To any future readers, I did do all instructions as asked as everyone else seeking assistance should. But, since all experienced will be different and it is bad to delete anything without guidance or follow anyone else's instructions, I have deleted my logs as the information won't help anyone else but me.
Original thread starts below:
----------------------
----------------------
I got the Vista Recovery Console pop up last night. It told me things like I was out of memory and my ram was too hot, both lies, and how would it know the temperature? Ha. It also hid everything in my user folder, removed all desktop icons, emptied the quicklaunch menu and start menu. I could still get to all programs via the computer folder.
---------------
I ran CCCleaner (which I had previously) to see what my startup programs were and the following stuck out:
HKCU:Run yiMjvSkpKyOa C:\ProgramData\yiMjvSkpKyOa.exe
----------------
I disabled the startup and deleted the file from a CMD prompt. I later found a shortcut named "Vista Recovery Console" on my desktop with that file listed on my desktop after I'd restored the icons and deleted what I found in MalwareBytes.
First I tried to run a Windows Security Essentials scan, found nothing. Also tried AVG, fail. Finally downloaded MalwareBytes and found the following:
------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6669
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
5/24/2011 10:50:49 PM
mbam-log-2011-05-24 (22-50-49).txt
Scan type: Quick scan
Objects scanned: 172738
Time elapsed: 5 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\programdata\43507448.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\TheUser\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\TheUser\AppData\Local\Temp\jar_cache2389963931054689550.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\TheUser\AppData\Local\Temp\ldr8d60.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
----------------------
I removed all of the files from malwarebytes as well as some unknown file types named 43507448, ~43507448 and ~43507448r from CMD prompt
I also went into the CMD prompt and ran the attrib function unhide all files and folders. Being Vista, and not run as Adminstrator, I got a lot of "denied". That made it so I could see all my icons and everything in my user folder again. I had to start over for my quicklaunch icons, but that wasn't bad.
---------------
Today, I found this forum and I ran the other scans required:
GMER, I downloaded from the main, multiple times, while not connected to the internet and having the other antivirus turned off. I also only had notepad open (to see the instructions) and I keep getting a blank log. Recommendations to get that log?
DDS logs previously attached for diagnosis