Solved Web search redirected and files on hard drive disappeared

pjizzle · Sep 18, 2011

Hi All,

Not sure what has happened here but all my music, photo’s and other files seem to have been deleted along with all the short cuts on my desktop. All my music folders are empty but if I open I-tunes they are there and playable, So I’m hoping I haven’t lost all my import documents with this virus.

Clicking a link in a list of google search results re-directs the page. I have been using Microsoft security essentials for a few weeks now (which I never want to use again after this) and this is what it says as the threats that have been detected:

worm:Win32/Autorun.gen!inf
Exploit:Win32/Pdfjsc.RF

I have followed the 6 steps and any help is greatly appreciated, please see my logs below:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-18 14:31:07
Windows 6.1.7600
Running: r1h47w9i.exe; Driver: C:\Users\P-jizzle\AppData\Local\Temp\pwlyakod.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x30 0xFD 0x41 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x55 0x52 0xAD 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x65 0x59 0xA6 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1F 0x52 0x56 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x55 0x52 0xAD 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x65 0x59 0xA6 0xC2 ...

---- Files - GMER 1.0.15 ----

File C:\Users\P-jizzle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQLQCCEN\like[1].htm 27010 bytes
File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\BB6QJQX2.txt 1323 bytes
File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\P61Y0NZN.txt 375 bytes
File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\PRJ8ODXH.txt 226 bytes
File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\RHBDDQ28.txt 108 bytes
File C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\RJD3IL6F.txt 103 bytes

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by P-jizzle at 15:03:15 on 2011-09-18
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3070.2302 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\lxbkcoms.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No File
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AdobeBridge]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
StartupFolder: c:\users\p-jizzle\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\p-jizzle\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: tvcatchup.com
Trusted Zone: tvcatchup.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C}\F42377962756C6563737138393039333 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C}\F42377962756C6563737438333132323 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1D91C794-8673-4E59-B939-81CC2425922C}\F42377962756C6563737642353735423 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D61097DB-6F06-456E-B758-03CD22A98E77} : DhcpNameServer = 82.132.254.3 82.132.254.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\p-jizzle\appdata\roaming\mozilla\firefox\profiles\rlc8f4j8.default\
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl726ff0df;MpKsl726ff0df;c:\programdata\microsoft\microsoft antimalware\definition updates\{64b0894c-cf57-4e98-83eb-14657e59e324}\MpKsl726ff0df.sys [2011-9-18 28752]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-24 1343400]
.
=============== Created Last 30 ================
.
2011-09-18 14:02:01 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64b0894c-cf57-4e98-83eb-14657e59e324}\MpKsl726ff0df.sys
2011-09-16 12:16:58 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64b0894c-cf57-4e98-83eb-14657e59e324}\mpengine.dll
2011-09-15 22:59:46 -------- d--h--w- c:\users\p-jizzle\appdata\local\CrashDumps
2011-09-08 19:52:34 -------- d-----w- c:\program files\Elaborate Bytes
2011-09-08 19:28:27 11114 ----a-w- c:\programdata\MainApp.dll
2011-09-08 19:25:55 14 ----a-w- c:\windows\system32\systeminfo3.dll
2011-09-08 19:25:10 81920 ----a-w- c:\users\p-jizzle\appdata\roaming\ezpinst.exe
2011-09-08 19:25:10 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2011-09-08 19:25:10 47360 ----a-w- c:\users\p-jizzle\appdata\roaming\pcouffin.sys
2011-09-08 09:33:04 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-09-08 09:33:01 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e4f0ec0d-4936-432c-9b13-44ad288db7c7}\gapaengine.dll
2011-09-07 10:55:15 -------- d-----w- c:\program files\Adobe Download Assistant
2011-09-06 16:01:19 -------- d--h--w- c:\users\p-jizzle\appdata\roaming\PDAppFlex
2011-09-06 15:59:56 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2011-09-06 15:15:03 -------- d--h--w- c:\users\p-jizzle\appdata\roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-08-27 15:55:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-26 21:16:22 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-25 13:27:24 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-25 13:26:55 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-08-25 13:01:35 83249512 ---ha-w- c:\program files\common files\windows live\.cache\wlcB157.tmp
2011-08-24 00:15:39 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-24 00:12:43 7152464 ------w- c:\programdata\microsoft\windows defender\definition updates\{e5ce807d-fe57-4a93-a51b-19c26343e448}\mpengine.dll
.
==================== Find3M ====================
.
2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-23 04:38:05 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-21 05:39:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-21 05:36:36 981504 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 05:35:05 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-21 04:26:02 386048 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 15:11:41.17 ===============

.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 26/04/2010 12:31:43
System Uptime: 18/09/2011 15:01:15 (0 hours ago)
.
Motherboard: Quanta | | 30D2
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 1000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 286 GiB total, 138.188 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 3.626 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4BF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4AF0
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl3f6e9e65
Device ID: ROOT\LEGACY_MPKSL3F6E9E65\0000
Manufacturer:
Name: MpKsl3f6e9e65
PNP Device ID: ROOT\LEGACY_MPKSL3F6E9E65\0000
Service: MpKsl3f6e9e65
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl7b6da6bd
Device ID: ROOT\LEGACY_MPKSL7B6DA6BD\0000
Manufacturer:
Name: MpKsl7b6da6bd
PNP Device ID: ROOT\LEGACY_MPKSL7B6DA6BD\0000
Service: MpKsl7b6da6bd
.
==== System Restore Points ===================
.
RP203: 02/08/2011 17:48:19 - Windows Update
RP204: 05/08/2011 12:02:58 - Windows Update
RP205: 09/08/2011 09:43:50 - Windows Update
RP206: 10/08/2011 15:45:30 - Windows Update
RP207: 12/08/2011 10:02:20 - Windows Update
RP208: 16/08/2011 15:48:21 - Windows Update
RP209: 17/08/2011 17:41:39 - Windows Update
RP210: 19/08/2011 18:11:44 - Windows Update
RP211: 24/08/2011 01:11:51 - Windows Update
RP212: 24/08/2011 01:34:30 - Windows Update
RP213: 25/08/2011 14:26:33 - Windows Update
RP214: 25/08/2011 14:40:01 - Windows Update
RP215: 26/08/2011 22:15:39 - Windows Update
RP216: 28/08/2011 00:46:28 - Windows Update
RP217: 29/08/2011 11:35:58 - Windows Update
RP218: 30/08/2011 18:50:46 - Windows Update
RP219: 31/08/2011 22:15:33 - Windows Update
RP220: 01/09/2011 23:26:37 - Windows Update
RP221: 03/09/2011 00:35:12 - Windows Update
RP222: 04/09/2011 01:11:10 - Windows Update
RP223: 05/09/2011 21:55:52 - Windows Update
RP224: 06/09/2011 17:08:46 - Removed Adobe Download Assistant
RP225: 06/09/2011 22:56:57 - Windows Update
RP226: 07/09/2011 23:33:04 - Windows Update
RP227: 08/09/2011 10:31:55 - Windows Update
RP228: 08/09/2011 20:25:19 - Device Driver Package Install: VSO Software
RP229: 09/09/2011 11:00:13 - Windows Update
RP230: 10/09/2011 11:09:40 - Windows Update
RP231: 10/09/2011 14:30:45 - Removed BBC iPlayer Desktop
RP232: 11/09/2011 23:48:35 - Windows Update
RP233: 13/09/2011 00:24:42 - Windows Update
RP234: 13/09/2011 22:07:15 - Windows Update
RP235: 14/09/2011 00:56:31 - Windows Update
RP236: 15/09/2011 12:47:43 - Windows Update
RP237: 16/09/2011 13:16:38 - Windows Update
RP238: 18/09/2011 13:19:52 - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Community Help
Adobe CSI CS4
Adobe Download Assistant
Adobe Dreamweaver CS4
Adobe Dreamweaver CS5.5
Adobe Flash Player 10 ActiveX
Adobe Photoshop CS5.1
Adobe Reader 9.3.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Update Manager CS4
Adobe Widget Browser
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BitTorrent
Bonjour
CloneDVD2
Connect
Internet Download Manager 5.18.8.0
iTunes
Java(TM) 6 Update 17
kuler
Lexmark X1100 Series
MagicDraw UML Personal Edition 16.0 sp1
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
mkv2vob
MobileMe Control Panel
Mozilla Firefox 6.0.2 (x86 en-GB)
MSVCRT
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PDF Settings CS5
QuickTime
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SkyPlayer for Windows Media Center
Suite Shared Configuration CS4
System Requirements Lab
System Requirements Lab CYRI
TVCatchup MCE Plugin
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2553110)
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.17
VLC media player 1.0.5
WampServer 2.0
Windows Driver Package - ENE (enecir) HIDClass (04/29/2008 2.5.0.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
18/09/2011 14:51:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
18/09/2011 13:26:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
18/09/2011 13:26:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
18/09/2011 13:26:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2389.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
18/09/2011 13:15:35, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
16/09/2011 13:23:50, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 13:23:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
16/09/2011 13:23:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
16/09/2011 13:23:45, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
16/09/2011 13:23:45, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
16/09/2011 13:23:44, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
16/09/2011 13:23:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
16/09/2011 13:23:22, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache ElbyCDIO MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/09/2011 13:23:22, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
16/09/2011 13:22:57, Error: sptd [4] - Driver detected an internal error in its data structures for .
16/09/2011 12:59:20, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 11:28:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2156.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
16/09/2011 11:28:47, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
16/09/2011 11:24:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
16/09/2011 11:24:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
16/09/2011 11:19:27, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
16/09/2011 11:18:30, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ElbyCDIO MpFilter spldr sptd Wanarpv6
16/09/2011 01:11:12, Error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0
15/09/2011 23:41:43, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 22:50:21, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 22:22:40, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 22:00:48, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 17:46:41, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 16:56:32, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 14:33:13, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 12:37:06, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
15/09/2011 00:27:51, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
14/09/2011 21:26:27, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
14/09/2011 17:01:06, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
14/09/2011 10:48:11, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
.

Thanks in advance.

Bobbye · Sep 18, 2011

Welcome to TechSpot! I'll help with the redirect and also help find the 'hidden' files.;

You left out a very important program- Malwarebytes: Please go back to the steps in the thread and run this: Step 2: Malwarebytes Anti-Malware

If you have run it, please leave the log. I suspect you have malware that puts an attribute on files, icons, etc. that makes them show 'missing.' After I see the log, I will give you a shot program that may help. Please be sure to check the line for remoal of entries found.
==================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me.
Follow the order of the tasks I give you. Order is crucial in cleaning process.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
[o] Please Do not Attach logs or put in code boxes
[o] Don't download and install new programs- except those I give you.
Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.

pjizzle · Sep 19, 2011

Hi Bobbye, thanks for the quick reply!

I forgot to mention in my post that I’m unable to install Malwarebytes on my computer since this infection. During the installation process for Malwarebytes I receive these messages saying:

“Access is denied”

“Setup was not completed.
Please correct the problem and run Setup again.”

It then says ‘Rolling back changes’ and closes the setup. I have tried installing this in normal mode and safe mode with the no luck. I use to have Malwarebytes already installed on my computer but now the files are ‘missing’ I’m unable to run it, maybe there is way to access it?

Thanks for your help.

Bobbye · Sep 21, 2011

Sorry for delay> Try running the following, then try Mbam again:
Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again
========================================
If the above doesn't work, do the following:

Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
A black window should pop up, press any key to close once the fix is completed.
A log file called exehelperlog.txt will be created and should open at the end of the scan)
A copy of that log will also be saved in the directory where you ran exeHelper.com
Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
===================================
And you can run the following and see if it will allow you to see the files on the hard drive:
Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.
This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note: This program does not remove malware itself. But it can make the files visible.

pjizzle · Sep 25, 2011

Hi,

Randmbam.exe seemed to work and I was able to run Malawarebytes, but a bit suprised with the results as no threats found.

Rkill worked and I than ran exeHelper. Unhide.exe also returned my files so thanks for that. The virus still seems presents, here are the logs:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7796

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

25/09/2011 16:41:32
mbam-log-2011-09-25 (16-41-32).txt

Scan type: Quick scan
Objects scanned: 171753
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

exeHelper by Raktor
Build 20100414
Run at 16:56:31 on 09/25/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Bobbye · Sep 25, 2011

Good job! Since you're on a roll, let's see if we can get the following 2 scans:

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe & follow the prompts.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
.Close any open browsers.
.Double click combofix.exe

& follow the prompts to run.
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
===========================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the

on your desktop.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button
Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
======================================
I usually let a user run unhide just for the confidence reason of knowing the files are still on the system. We may have to run it again after the malware has been removed, but we'll cross that when we get to it!

pjizzle · Sep 26, 2011

Hi,

Had a problem with the ESET scan as it stopped half way through the first scan but 9 hours later I have the log.

Combo fix:

ComboFix 11-09-26.01 - P-jizzle 26/09/2011 13:23:09.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3070.2164 [GMT 1:00]
Running from: c:\users\P-jizzle\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\IFO_LOGICAL_VOLUME_IDENTIFIER.LOG
c:\programdata\MainApp.dll
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\chrome.manifest
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\install.js
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\install.rdf
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\META-INF\manifest.mf
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\users\P-jizzle\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.sf
c:\windows\system32\systeminfo3.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))
.
.
2011-09-26 12:56 . 2011-09-26 12:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-26 11:59 . 2011-09-26 11:59 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\MpKsl552df885.sys
2011-09-26 11:59 . 2011-09-26 11:59 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\offreg.dll
2011-09-25 15:58 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\mpengine.dll
2011-09-20 12:42 . 2011-06-21 10:24 32768 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-09-15 22:59 . 2011-09-26 12:05 -------- d-----w- c:\users\P-jizzle\AppData\Local\CrashDumps
2011-09-12 22:04 . 2011-09-15 23:56 -------- d-----w- c:\users\P-jizzle\AppData\Local\Mozilla
2011-09-08 19:52 . 2011-09-15 23:52 -------- d-----w- c:\program files\Elaborate Bytes
2011-09-08 19:25 . 2011-09-08 19:48 81920 ----a-w- c:\users\P-jizzle\AppData\Roaming\ezpinst.exe
2011-09-08 19:25 . 2011-09-08 19:48 47360 ----a-w- c:\users\P-jizzle\AppData\Roaming\pcouffin.sys
2011-09-08 19:25 . 2011-09-08 19:48 -------- d-----w- c:\users\P-jizzle\AppData\Roaming\Vso
2011-09-08 19:25 . 2011-09-08 19:25 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2011-09-08 09:33 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-09-08 09:33 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4F0EC0D-4936-432C-9B13-44AD288DB7C7}\gapaengine.dll
2011-09-07 10:55 . 2011-09-16 00:02 -------- d-----w- c:\program files\Adobe Download Assistant
2011-09-06 16:01 . 2011-09-06 16:01 -------- d-----w- c:\users\P-jizzle\AppData\Roaming\PDAppFlex
2011-09-06 15:59 . 2011-09-07 11:57 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2011-09-06 15:15 . 2011-09-06 15:15 -------- d-----w- c:\users\P-jizzle\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-08-27 15:55 . 2011-08-27 15:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-12 02:44 . 2011-08-24 00:12 7152464 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5CE807D-FE57-4A93-A51B-19C26343E448}\mpengine.dll
2011-08-11 18:44 . 2011-08-26 21:16 7152464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-22 04:56 . 2011-08-10 14:24 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37 . 2011-08-10 14:23 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34 . 2011-08-10 14:23 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31 . 2011-08-10 14:23 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 04:19 . 2011-08-10 14:23 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 14:23 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 14:23 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 14:23 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 14:23 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 13:44 . 2011-07-09 13:44 29184 ----a-r- c:\users\P-jizzle\AppData\Roaming\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2011-07-09 04:30 . 2011-08-24 00:15 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:26 . 2011-08-10 14:24 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-07 09:30 . 2011-04-23 22:20 2301208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-07-07 09:30 . 2010-10-16 18:43 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-06-30 22:16 . 2010-10-16 18:43 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-06-30 22:16 . 2011-03-23 11:28 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-09-03 06:18 . 2011-09-12 22:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-01-29 3179952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-28 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
.
c:\users\P-jizzle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl3f6e9e65;MpKsl3f6e9e65;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7FEA25B-064D-4E2C-8179-4665BE556DB2}\MpKsl3f6e9e65.sys [x]
R1 MpKsl7b6da6bd;MpKsl7b6da6bd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7FEA25B-064D-4E2C-8179-4665BE556DB2}\MpKsl7b6da6bd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-09-08 47360]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-24 1343400]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-27 691696]
S1 MpKsl552df885;MpKsl552df885;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C113A8F7-18BB-451E-8BD0-0211EB8D34AE}\MpKsl552df885.sys [2011-09-26 28752]
S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [2008-02-19 537256]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL552DF885
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: tvcatchup.com
Trusted Zone: tvcatchup.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\P-jizzle\AppData\Roaming\Mozilla\Firefox\Profiles\rlc8f4j8.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-AdobeBridge - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3569515612-4175067792-3796432290-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e4,26,63,70,90,df,2e,d3,af,22,b3,39,88,c8,b8,d9,e7,cb,35,36,e4,
10,fb,3d,a6,60,1b,f8,12,ca,a6,15,13,fa,57,b2,29,de,c8,70,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-3569515612-4175067792-3796432290-1001_Classes\CLSID\{bf97f5d2-492f-4a1f-9801-08764a99c3c0}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000ef
"Therad"=dword:0000001d
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-26 14:14:16
ComboFix-quarantined-files.txt 2011-09-26 13:14
.
Pre-Run: 151,062,781,952 bytes free
Post-Run: 151,333,388,288 bytes free
.
- - End Of File - - 5BB89289A0752D75939C49374F872B37

ESET Log:

C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba a variant of Win32/Kryptik.SVJ trojan
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 a variant of Java/Agent.DP trojan
C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan

Thanks again for your help!

Bobbye · Sep 30, 2011

Sorry- I'm running 3 days behind!

The viperfiles site is a warez site: Warez refers primarily to copyrighted works distributed without fees or royalties, and may be traded, in general violation of copyright law. So that will be piracy.

For Eset entries:
Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files 
C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi 
C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi 
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba 
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 
C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel.

The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.

[4] Click Delete Files.The Delete Temporary Files dialog box appears.

[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
====================================
Download CKScanner and save to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
When the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
in your next reply.

====================================
I'll be back with script for Combofix.

pjizzle · Oct 1, 2011

All processes killed
Error: Unable to interpret <C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi > in the current context!
Error: Unable to interpret <C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi > in the current context!
Error: Unable to interpret <C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba > in the current context!
Error: Unable to interpret <C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 > in the current context!
Error: Unable to interpret <C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.Deleted > in the current context!
Error: Unable to interpret <C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.Deleted > in the current context!
Error: Unable to interpret <C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.Deleted\ > in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: P-jizzle
->Temp folder emptied: 1688953 bytes
->Temporary Internet Files folder emptied: 2143822728 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 26192833 bytes
->Apple Safari cache emptied: 20119552 bytes
->Flash cache emptied: 3197866 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3826 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,093.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 10012011_180607

Files moved on Reboot...
File C:\Users\P-jizzle\AppData\Local\Temp\flaFC67.tmp not found!
File C:\Users\P-jizzle\AppData\Local\Temp\~DF16983220160AAB59.TMP not found!
File C:\Users\P-jizzle\AppData\Local\Temp\~DF2A4EF2ED5D3642BE.TMP not found!
File C:\Users\P-jizzle\AppData\Local\Temp\~DF606B35E61204BFE7.TMP not found!
File C:\Users\P-jizzle\AppData\Local\Temp\~DFFE8EAE06FBB09552.TMP not found!

Registry entries deleted on Reboot...

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
c:\users\p-jizzle\documents\downloads\compressed\idk4kc.viper3773.Deleted
c:\users\p-jizzle\favorites\adobe dreamweaver cs4 final + keygen + portable warez-bb.org.url
c:\users\p-jizzle\favorites\adobe dreamweaver cs4 full ~ 345mb ~ keygen ~ installation warez-bb.org.url
c:\users\p-jizzle\favorites\adobe photoshop cs4 extended final + keygen + portable warez-bb.org.url
c:\users\p-jizzle\favorites\[mu-fs] avatar [eng]+[multi 7] [2009] 1gb-4dl+keygen warez-bb.org.url
c:\windows.old\users\p-jizzle\documents\downloads\compressed\wallpaper_pack_keygen.rar
c:\windows.old\users\p-jizzle\favorites\adobe dreamweaver cs4 final + keygen + portable warez-bb.org.url
c:\windows.old\users\p-jizzle\favorites\adobe photoshop cs4 extended final + keygen + portable warez-bb.org.url
scanner sequence 3.JD.11.GQAPTI
----- EOF -----

Bobbye · Oct 1, 2011

If you want to continue support, please removed the pirated programs:
Adobe Photoshop CS4
Adobe Dreamweaver

And any warez links.

pjizzle · Oct 2, 2011

Hi Bobbye,

Latest CKS log:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.HSABIE
----- EOF -----

Thanks

Bobbye · Oct 4, 2011

Okay, you're getting there. Please update and run the Eset scan again so we can make sure none of those infected entries remain.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the

on your desktop.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button
Push Finish

Please post the entire log with heading resembling this:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

pjizzle · Oct 5, 2011

Hi,

Please see ESET log below:

C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.www.theviperfiles.com\CollectionKeyFinal\CollectionKeyFinal\CS4MCLG.EXE probably a variant of Win32/Spy.Agent.FFETUNH trojan
C:\_OTM\MovedFiles\10012011_180012\C_ProgramData\ReviverSoft\Registry Reviver\InstallCache\{2EFCA8FB-B863-4DDE-B7D0-4EB3152999EC}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
C:\_OTM\MovedFiles\10012011_180012\C_Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\20edfb0d-71ef47ba a variant of Win32/Kryptik.SVJ trojan
C:\_OTM\MovedFiles\10012011_180012\C_Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\41d89970-66c38ad6 a variant of Java/Agent.DP trojan

Note: I have allready deleted the top one, the strange thing is I couldnt actually see it on my desktop.

Bobbye · Oct 7, 2011

If you want to continue support, please removed the pirated programs:
Adobe Photoshop CS4
Adobe Dreamweaver

========================
There are new entires in Eset from the same source> ADCS4.Kg.Viper3773
This is a keygen for CS4. Please remove all entries for this file and CS4 as it is pirated.

From Microsoft:.

This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers.

======================================
Last time:
Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files  
C:\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
C:\Windows.old\Documents and Settings\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 
C:\Windows.old\Users\P-jizzle\Desktop\desktop\ADCS4.Kg.Viper3773.http://www.theviperfiles.com\Collect...al\CS4MCLG.EXE 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log).
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

pjizzle · Oct 10, 2011

I'm not sure why Eset has discovered 'New entries' as I have hardly used this machine since the virus started and have most deffientely not installed any new programs as advised by this forum.

I have deleted the files now but when I try to run OTM the following message appears:

"Invalid time flag! [ www.theviperfiles.com\Collect...al\CS4MCLG.EXE
Must be numerical"

I then click OK and the screen is empty including the windows taskbar so I have to restart the computer via control, alt, delete. Any ideas why this is happening?

Bobbye · Oct 11, 2011

Apparently the source of the malware is still on the system. You will need to remove all software gathered through warez, including the programs you pirated.

pjizzle · Oct 11, 2011

Hi,

I'm still receiving the same 'invalid time' message and I also now have several short cut files everywhere and several 'desktop.ini' files in random folders.

I have tried a number of searches to find these files and they do not seem to exist anymore so not sure why the invalid time message is still occurring when trying to run OTM.

I have even deleted legit versions of CS5 and completely removed the desktop folder under 'windows.old'.

Is this the only virus I have left?
Can I also ask why we Unchecked 'Remove found threats' when running the ESET scan?

Thanks for your help so far.

Bobbye · Oct 11, 2011

Can I also ask why we Unchecked 'Remove found threats' when running the ESET scan?

You can. It's because I use OTM to remove them which also removes other unneeded files in the system> included temporary internet files.

Please right click o the Clock, lower right> Adjust Date/Time, make sure all of the setting are correct and on the Internet Time tab, click on Check now.
=========================================
Click on Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.
=========================================
Click on Start> Control Panel> Folder Options> View tab> Check 'don't show hidden files & folders'> Check 'hide protected system files (Recommended)> Apply> OK
=======================================
Reboot the computer and see if the desktop.ini files are gone.

pjizzle · Oct 11, 2011

Hi again,

When I follow your instruction for the clock, it says on the internet time tab - "this computer is set to automatically synchronize with 'time.windows.com'." and there is no option to 'check now'.

I also tried following your instructions for step two, but once I get to Control Panel I do not have the option to select 'Display'. Is this because I'm using Windows 7?

pjizzle · Oct 11, 2011

Hi,

I managed to find 'Folder Options' tab in regards to the 3rd step you gave me and now the desktop.ini files and other short cut files have gone so thanks for that.

Just the malware issue now. Is this the only virus i have now, 'ADCS4.Kg.Viper3773'
?

Bobbye · Oct 12, 2011

"this computer is set to automatically synchronize with 'time.windows.com'." and there is no option to 'check now'.

Click on Update now to the right of the server name box.
--------------------------
Sorry, I can't find the corresponding function for Desktop> Customize Desktop> Web tab in Win 7. But if the desktop.ini is gone, you should be okay. Sometimes I forget to check which OS I'm working with!
==================================
It's not just a question of getting rid of this one item: If you have any shortcuts like bookmarks or favorites for theviperfiles, they need to be deleted. Any sites you have saved for warez downloads need to be removed.

Then I'd like you to uninstall OTM. Reboot the computer and run a new Eset scan.

pjizzle · Oct 19, 2011

Hi again,

I was unable to run the previous 'move it' request on OTM but I have now unistalled OTM and run a new ESET scan.

C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-420f4b4b a variant of Java/Agent.DT trojan
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-4da28a2d a variant of Java/Agent.DT trojan
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-731c5ca3 a variant of Java/Agent.DT trojan
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-753451fc a variant of Java/Agent.DT trojan
C:\Users\P-jizzle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\58b789d8-7879bf96 a variant of Java/Agent.DT trojan

Is the java trojan related to the previous warez vrius?

Thanks for your help

Bobbye · Oct 23, 2011

I don't know the source for these entries, but they are in the Java cache. This usually happens when there is/are outdated Java on the system. If you updated Java and cleared the cache as previously instructed, then the source of the malware is still on the system:

Clear the cache again. Reboot, then run the Eset scan,

======================================
Have you removed all shortcuts, bookmarks, history, Coockies connected to the warez downloads? Let's check>>> be sure to check the line to remove the entires found:

SuperAntiSpyware Home Edition Free Version

Please download SuperAntiSpyware from HERE
Launch SuperAntiSpyware and click on 'Check for updates'.
Wait for the updates to be installed
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan then Click 'Next' to start the scan.
Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.

It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply

pjizzle · Oct 28, 2011

Hi Bobbye,

I cleared the cache again and ran the ESET scan which returned no viruses. I think the computer is clean now, here is the super Anti Spyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/28/2011 at 01:36 PM

Application Version : 5.0.1134

Core Rules Database Version : 7846
Trace Rules Database Version: 5658

Scan type : Complete Scan
Total Scan Time : 00:41:32

Operating System Information
Windows 7 Professional 32-bit (Build 6.01.7600)
UAC Off - Administrator

Memory items scanned : 680
Memory threats detected : 0
Registry items scanned : 38244
Registry threats detected : 0
File items scanned : 50823
File threats detected : 2

Adware.Tracking Cookie
C:\Users\P-jizzle\AppData\Roaming\Microsoft\Windows\Cookies\AQ8ZBZMQ.txt [ /careers.peopleclick.com ]
C:\USERS\P-JIZZLE\Cookies\AQ8ZBZMQ.txt [ Cookie

-jizzle@careers.peopleclick.com/ ]

Thanks

Bobbye · Oct 28, 2011

Okay, but you're still getting Tracking Cookies, so do this first:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
===============================
Remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
[o] Click START> then RUN
[o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Download OTCleanIt by OldTimer and save it to your Desktop.
[o] Double click OTCleanIt.exe.
[o] Click the CleanUp! button.
[o] If you are prompted to Reboot during the cleanup, select Yes.
[o]The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
Set a new, clean Restore Point
[o] Click on Start> right click on Computer> Properties
[o] Select System Protection
[o] Click on the Create button (near bottom)
[o] Type a name for the Restore Point
[o] Click on Create again to save the restore point.
Deleting all but the most recent System Protection point in Windows 7
[o] Click Start> Computer> right click the C Drive and choose Properties> enter.
[o] Click Disk Cleanup from there.

[o] Click Clean up system files
This restarts Disk Cleanup to run in elevated mode.
[o] Click the More Options tab

[o] Click the Clean up under System Restore and Shadow Copies.
[o] Click OK.
[o] You will get a confirmation screen> Just click Delete.
[o] Click OK on the Disk Cleanup Screen.
[o] Click Delete Files on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin
==========================================
Just a comment about pirating programs: Doing this is like breaking and entering and stealing merchandise. The only differences are that there are sites like Warez and torrent sites that give you the 'key' to open the door and no one 'sees' you steal! ALL pirating comes with a malware price!

Solved Web search redirected and files on hard drive disappeared

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Posts: 13 +0

Posts: 16,313 +36

Similar threads