Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Documents and Programs files are hidden - GMER scans the 'missing' files

This is a discussion on Documents and Programs files are hidden - GMER scans the 'missing' files within the Resolved HJT Threads forums, part of the Tech Support Forum category. My wife received a popup box warning about a problem with the hard drive. She called me over and we


 
 
Thread Tools Search this Thread
Old 05-31-2011, 01:51 PM   #1
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



My wife received a popup box warning about a problem with the hard drive. She called me over and we didn't click OK but the damage must have already been done.

All of the files appear to be gone. All of the program files and documents that should be in my documents appear empty. Thanksfully I could see GMER scanning all of these missing files so it looks like they are just hidden. I am not taking any action to recover these as I know how that can cause other virus issues so I am just waiting for help.

The computer seems to be working OK in that I have internet access and the programs that show up in the upper left of the start menu can be launched (IE, Outlook, and a Bridge Game that I play) but all of the other 'All Programs' appear empty.

Attached is are log files. I couldn't send to zip file due to computer issue so I am attaching the txt files.

DDS Log

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by Erik at 12:34:36 on 2011-05-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.347 [GMT -4:00]
.
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRAM FILES\JAVA\JRE6\BIN\JUSCHED.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOP.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLE DESKTOP SEARCH\GoogleDesktop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\JAVA\JRE6\BIN\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Erik\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [updateMgr] "c:\program files\adobe\adobe acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\erik\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [WinPatrol] "c:\program files\billp studios\winpatrol\WinPatrol.exe" -expressboot
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTASK.EXE" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.evite.com/html/imageUpload/ImageUploader5.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://jda.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\erik\application data\mozilla\firefox\profiles\kvc154hl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\debbie\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\erik\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\erik\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\erik\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-11-12 45072]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-1-21 1373480]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-11-12 3899008]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-3-30 3251928]
S0 AFPAnsi;Alfa File Protector Ansi;c:\windows\system32\drivers\afpansi.sys --> c:\windows\system32\drivers\AFPAnsi.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-8 30192]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-21 136176]
.
=============== Created Last 30 ================
.
2011-05-31 15:36:43 416768 ---ha-w- c:\documents and settings\all users\application data\AhGkYJyFIC.exe
2011-05-23 14:52:48 -------- d-----w- c:\program files\iPod
2011-05-23 14:52:21 -------- d-----w- c:\program files\iTunes
2011-05-23 14:38:38 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:36:10.57 ===============
Attached Files
File Type: txt ark.txt (12.5 KB, 7 views)
File Type: txt attach.txt (17.4 KB, 12 views)

__________________
esecan is offline  
Old 05-31-2011, 04:13 PM   #2
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello and welcome to TSF. My name is Taylor and I'll be helping you with your fix.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-01-2011, 08:44 PM   #3
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi again esecan. Sorry for the delay.

If you haven't done so already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back it up now just as a precaution.

------------------------------------------------------

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.

Download ComboFix from one of the following locations:

* IMPORTANT !!! Place combofix.exe on your Desktop

Disable your AntiVirus and AntiSpyware applications as they may interfere with ComboFix. You can normally do this by right clicking on the System Tray icon. If you have difficulty properly disabling your protective programs, refer to this link.

Close all open browsers and windows and double click on combofix.exe & follow the prompts.
  • The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.



  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

  • ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. It will be a new screen you see on bootup which will last only a few seconds. You do not have to press or do anything for Windows to load normally. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to do so by a helper.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



  • Click on Yes, to continue scanning for malware.

** NOTE: Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This, too, is normal.

When finished it will produce a log for you (C:\ComboFix.txt). Please include this log in your next reply.

Do not mouse-click Combofix's window while it is running. This may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Once ComboFix has finished and produced a log, ensure your Anti-Virus and Anti-Spyware applications have been re-enabled.

Let me know if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-02-2011, 10:22 AM   #4
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



I backed up my hidden files. I changed windows explorer to show hidden files in certain directories.

I then shut everything down and ran combofix. It successfully saved off something in the first phase. Then it asked me to install the Microsoft Registry software which I accepted. This failed out.

I clicked that I wanted combofix to continue scanning for problems. So note that I am posting the results but the windows recovery console did not load.

Combo Fix Log file - I am attaching as well

ComboFix 11-06-01.07 - Erik 06/02/2011 11:39:45.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.422 [GMT -4:00]
Running from: c:\documents and settings\Erik\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AhGkYJyFIC.exe
c:\documents and settings\Erik\GoToAssistDownloadHelper.exe
c:\documents and settings\Erik\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AFPANSI
-------\Service_AFPAnsi
.
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-05-23 14:52 . 2011-05-23 14:52 -------- d-----w- c:\program files\iPod
2011-05-23 14:52 . 2011-05-23 14:54 -------- d-----w- c:\program files\iTunes
2011-05-23 14:38 . 2011-05-23 14:38 -------- d-----w- c:\program files\Bonjour
2011-05-21 12:24 . 2011-05-21 12:24 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-05-21 12:19 . 2011-05-21 12:19 -------- d--h--w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-05-14 14:39 . 2011-05-14 14:39 -------- d--h--w- c:\documents and settings\Debbie\Application Data\Sonic
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2010-06-18 12:15 . 2009-12-08 15:05 119808 ---ha-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2009-10-10 320832]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-03-30 1373208]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\documents and settings\Debbie\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-06-18 12:15 30192 ---ha-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Erik\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Erik\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Debbie\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Debbie\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Debbie\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Compact Wireless-G USB Adapter Wireless Network Monitor\\WUSB54GC.exe"=
"c:\\WINDOWS\\system32\\mrtmngr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [11/12/2010 8:29 AM 45072]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [1/21/2008 8:13 PM 1373480]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [3/30/2011 8:08 AM 3251928]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/8/2009 11:05 AM 30192]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/21/2011 8:19 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3042289151-2759841509-2521737358-1005Core.job
- c:\documents and settings\Erik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 23:22]
.
2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3042289151-2759841509-2521737358-1005UA.job
- c:\documents and settings\Erik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 23:22]
.
2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3042289151-2759841509-2521737358-1006Core.job
- c:\documents and settings\Debbie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-03 00:44]
.
2011-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3042289151-2759841509-2521737358-1006UA.job
- c:\documents and settings\Debbie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-03 00:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\documents and settings\Erik\Application Data\Mozilla\Firefox\Profiles\kvc154hl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
MSConfigStartUp-MMTray - c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-02 12:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,07,0c,df,10,65,28,46,90,09,6b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,07,0c,df,10,65,28,46,90,09,6b,\
.
[HKEY_USERS\S-1-5-21-3042289151-2759841509-2521737358-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(988)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\JAVA\JRE6\BIN\JUSCHED.EXE
c:\program files\JAVA\JRE6\BIN\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-06-02 12:57:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-02 16:57
ComboFix2.txt 2009-10-29 20:55
.
Pre-Run: 49,954,168,832 bytes free
Post-Run: 58,598,592,512 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - 34F5E364A35D69204DB379E666516888
Attached Files
File Type: txt combofix.txt (13.5 KB, 10 views)
__________________
esecan is offline  
Old 06-02-2011, 08:22 PM   #5
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello esecan.

You mentioned earlier that everything in 'All Programs' was hidden. Is this still the case?

------------------------

Please download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply

Let me know if you have any questions or concerns.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-02-2011, 08:53 PM   #6
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



The list of programs now show up for all programs but each of the folder shows empty. All of my files are still hidden.

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
__________________
esecan is offline  
Old 06-03-2011, 04:23 AM   #7
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Thank you esecan.

If you go to your C:\ drive, then to the folder "Qoobox" you should find a file: c:\qoobox\combofix-quarantined-files.txt

Please attach that text file in your reply.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-03-2011, 09:11 AM   #8
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



To Be clear when I go to the start menu it shows the programs but when I hover over one of the items it show "empty" for any of the items.

Here is the file that you requested

2011-06-02 16:44:55 . 2011-06-02 16:44:55 912 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
2011-06-02 16:44:40 . 2011-06-02 16:44:40 642 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RealTray.reg.dat
2011-06-02 16:44:39 . 2011-06-02 16:44:39 586 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MMTray.reg.dat
2011-06-02 16:44:39 . 2011-06-02 16:44:39 630 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DMXLauncher.reg.dat
2011-06-02 16:44:39 . 2011-06-02 16:44:39 616 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DellSupport.reg.dat
2011-06-02 16:44:39 . 2011-06-02 16:44:39 660 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Corel Photo Downloader.reg.dat
2011-06-02 15:52:03 . 2011-06-02 15:52:03 2,504 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_AFPAnsi.reg.dat
2011-06-02 15:52:03 . 2011-06-02 15:52:03 1,356 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_AFPANSI.reg.dat
2011-06-02 15:51:40 . 2011-06-02 15:51:40 11,317 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-02 15:01:13 . 2011-06-02 15:39:45 82 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-05-31 15:36:43 . 2011-05-31 15:36:40 416,768 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\AhGkYJyFIC.exe.vir
2008-06-27 14:41:28 . 2008-12-04 14:08:33 61,224 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Erik\GoToAssistDownloadHelper.exe.vir
__________________
esecan is offline  
Old 06-04-2011, 10:30 AM   #9
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello again esecan. I hope you're having a good weekend!

Download SystemLook from one of the links below and save it to your desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :folderfind
    smtmp
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-04-2011, 07:18 PM   #10
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



Taylor,

How bad is the problem? Other than all of the hidden files the computer seems to be acting normally. (I am not using the computer for anything other than working on this problem until this gets resolved)

I am going to be traveling for a few days next week but I'll have my wife try to follow the directions in my absense.

Erik

SystemLook 04.09.10 by jpshortstuff
Log created at 21:44 on 04/06/2011 by Erik
Administrator - Elevation successful

========== folderfind ==========

Searching for "smtmp"
No folders found.

-= EOF =-
__________________
esecan is offline  
Old 06-05-2011, 03:36 PM   #11
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi Erik.

Quote:
How bad is the problem? Other than all of the hidden files the computer seems to be acting normally.
Well, I have good news and less-than-good news.

The good news is that for the most part, the infection is gone. You had what's known generally as a Rogue Anti Virus infection. It's an infection which will cause problems on your machine, or deliver false messages indicating you have some bogus virus, and convince you that the only way to fix the problems is by purchasing their "software." Once you have paid them, the infection undoes what it had done in the first place (or just tells you it's no longer infected)...usually.

The Start > All Programs menu is a file folder, just like any other on your computer. Through Windows Explorer, you can customize it just like you would with My Documents--creating folders, deleting folders, adding/removing files, etc. What this infection did was take all of those files and move them to another location on your machine, just like when you go to search for a document in My Docs and it's not there. So the All Programs folders aren't hidden, they're not there. That's why they show "empty."

The reason I've been searching for this smtmp (short for Start Menu Temporary) folder is because that's where the infection sticks them. It creates this folder on your machine and hides the All Program folders/files there from you so they don't show up any longer.

Now the less-than-good news.

The problem is that it creates the smtmp folders in your Temporary Files section. The problem with this is that if you were to clear your temporary files, or run a cleaning tool which does it for you, it deletes the files/folders that the infection moved there. We were unable to locate the four smtmp folders on your machine we were looking for. This means that they've likely been deleted and are unrecoverable.

However, not all is lost. This isn't critically detrimental. All of your programs are still there, the shortcuts are just gone. It's a nuisance more than anything. After consulting with my colleagues, we've determined that the best course of action to correct this is to try a Microsoft Hotfix: When you point to "All Programs" on a Windows XP-based computer, the list of programs does not appear, or the list of programs is empty

You can download and run the hotfix from the link at the top, shown here in the screen shot:


Bet sure to let us know how it goes, and let me know if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-05-2011, 04:32 PM   #12
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



Thank you for the explanation. That makes sense.

Do you have any advice for unhiding all of my files? It looks like some of them are no longer hidden but I haven't done an extensive search.

Also, has the virus been contained? Is it safe to use this computer again? For now, I have told my wife not to use it.

I downloaded the hotfix but no luck. When it ran it said, that I already have a service pack of the system is newer than the update that you are installing. There is no need to install this update. It then exited.

We coincidently just bought a new laptop computer. Do I just need to create shortcuts for the programs and put them in the directory? Is that my only issue now?

Thanks again for the help. When I double click on a file it launches the correct program and it seems to work fine.

Erik
__________________
esecan is offline  
Old 06-06-2011, 03:40 PM   #13
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi Erik.

You should see that all files on the system should be unhidden. Are you finding any in particular which are not? If so, which ones and where are they?

The main infection has been knocked down, yes, however we're not quite ready to give you the all clear just yet. There are a couple more scans we want to run first. I think it would be ok to use the computer again, just on a limited basis and with great care--for things like email, documents, etc. Just be very cautious. For example, I would avoid downloading anything at the moment, including email attachments.

I see that you have MBAM installed.
  • Launch Malwarebytes' Anti-Malware
  • Under the Update tab, click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here to run an online scanner from ESET and Save the file to your Desktop.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install.
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Scan
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.

Let me know if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-06-2011, 07:26 PM   #14
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



It's not in the start menu. How do I run malwarebytes?
__________________
esecan is offline  
Old 06-06-2011, 08:05 PM   #15
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,368
OS: WinXP Home, Vista, Windows 7 64bit



Hello esecan,

Nistlelrooy is not online at the moment, so in the interest of keeping you moving....

Do you have a Malwarebyte's Anti Malware icon on your desktop? If so, double click it to launch the program.

If you do not have the icon on your desktop, click Start>My Computer and double click on the C:\ drive.

Navigate to C:\Program Files\Malwarebye's Anti Malware\mbam.exe

Double click the mbam.exe file to launch the program
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-06-2011, 10:14 PM   #16
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



I tried that. Unfortunately I get an error. run-time error 0. Debbie (Erik's wife)
__________________
esecan is offline  
Old 06-07-2011, 08:13 PM   #17
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi Debbie

My apologies for the late reply, and thank you to Ried for stepping in to help.

MBAM has a fix for this issue which can be found in their FAQ page here (Issue 15. Thank you to tetonbob for the assistance). However, I have quoted the instructions below. Please try this and see how it works.
  • Please copy and paste the following text in the Code box exactly as you see it into Notepad (be sure to include all quote marks). (Note: Wordpad, Word, or any other text editor will not work)
    Code:
    if exist "%programfiles(x86)%" regsvr32 "%programfiles(x86)%\Malwarebytes' Anti-Malware\mbamext.dll"
    if exist "%programfiles(x86)%" regsvr32 "%programfiles(x86)%\Malwarebytes' Anti-Malware\ssubtmr6.dll"
    if exist "%programfiles(x86)%" regsvr32 "%programfiles(x86)%\Malwarebytes' Anti-Malware\vbalsgrid6.ocx"
    if not exist "%programfiles(x86)%" regsvr32 "%programfiles%\Malwarebytes' Anti-Malware\mbamext.dll"
    if not exist "%programfiles(x86)%" regsvr32 "%programfiles%\Malwarebytes' Anti-Malware\ssubtmr6.dll"
    if not exist "%programfiles(x86)%" regsvr32 "%programfiles%\Malwarebytes' Anti-Malware\vbalsgrid6.ocx"
  • Once you've done that click on File and select Save As...
  • In the Save dialogue box click on the drop down menu to Save as type and select All files
  • Name the file MBAM Fix.bat (the .bat extension is very important!)
  • Save the file to your desktop and double click it to run it on XP (it should look like this: ). Note: For Vista users, right click on it and choose Run As Admin
  • Click OK to each of the 3 dialog boxes that should show a success message for each file registered
  • If you get an error stating: REGSVR32 is not recognized as an internal or external command, operable program or batch file, please come back to me and let me know.
-------------------------------

In the event that you are able to get the MBAM scan to work correctly, please continue with the ESET scan afterward and post both logs here for me in your next reply. If you have any problems or questions, please let me know.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-10-2011, 04:35 AM   #18
Registered Member
 
Join Date: Oct 2009
Posts: 62
OS: XP



Malwarebytes' Anti-Malware 1.41
Database version: 3058
Windows 5.1.2600 Service Pack 3

6/9/2011 9:24:01 PM
mbam-log-2011-06-09 (21-24-01).txt

Scan type: Quick Scan
Objects scanned: 120343
Time elapsed: 11 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





C:\Documents and Settings\Debbie\Application Data\Sun\Java\Deployment\cache\6.0\17\1f5b9e11-7dc72b65 a variant of Java/TrojanDownloader.Agent.NAE trojan
C:\Documents and Settings\Debbie\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-4b4b3331 Java/TrojanDownloader.Agent.ME trojan
C:\Documents and Settings\Debbie\Application Data\Sun\Java\Deployment\cache\6.0\45\5046f5ad-7affd67a Java/Agent.BH trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\AhGkYJyFIC.exe.vir a variant of Win32/Kryptik.OKY trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP548\A0059366.exe a variant of Win32/Kryptik.OKY trojan
__________________
esecan is offline  
Old 06-11-2011, 04:45 PM   #19
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE


Hi Debbie. I apologize for taking so long to get back to you. They are fumigating and we haven't been cleared to return yet. I'll have further instructions soon, I hope. Thank you for your patience!
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 06-12-2011, 08:09 AM   #20
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE


Hello again Debbie. Sorry again about that delay.

In regards to the ESET results, the first three hits are ones sitting in the Java cache--we will clear those out in this round. The fourth is a virus that ComboFix has "captured" and will be deleted when we are finished. The final hit is an infected restore point, which will also be taken care of when we are finished.

-------------------------

This tool cleans files from temp locations, and empties the Recycle Bin.
  • Download TFC (Temp File Cleaner) to your desktop, or other location.
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

-------------------------

One thing that was noticed about the scan is that it is showing MBAM to be out of date. I'd like you to run another scan, but first please update Malware Bytes by doing the following:
  • Launch Malwarebytes' Anti-Malware
  • Under the Update tab, click Check for Updates
  • If an update is found, it will download and install the latest version.

-------------------------

Go ahead and run another Quick Scan and let's take a look at that log by posting it here in your next reply.

Let me know if you have any questions or problems.

-Taylor

__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
File and program icons appear as hidden files
Using Windows XP Professional Service PAck 3. Had a trojan which I got cleaned up. Trojan made all my icons for files and program files disappear. Found out they were changed to hidden files. Was able to get them to appear by checking view hidden file icons in the folder options section of My...
Chloe1037 Windows XP Support 1 05-17-2011 12:29 AM
UNABLE TO OPEN PROGRAMS, SAVE FILES, EVEN RUN GMER!!!!
Bit of a strange problem this.. When ever i try and open a program including paint, IE, firefox, AVG, malware bytes, even my music folder the "which user account do you want to use this program with RUN AS" window appears. If i then say click "current user" then press ok an error message...
tizza2k Inactive Malware Help Topics 5 05-03-2011 10:31 AM
Start menu programs gone, Icons, files and folders hidden, random audio, IE redirect
Last night, I was surfing the net. Suddenly audio started playing on my speakers, and desktop icons started disappearing. Then I got a notice like "your IDE/SATA drive has failed....." i hit control+alt+delete, and it said task manager has been disabled by the administrator, which, or course is me...
ynpguy Resolved HJT Threads 16 04-02-2011 09:23 PM
Possible Keylogging Or Other Nonsense. Not Sure
My computer has been acting very strangely of late. It started as my Yahoo from Trillian kept disconnecting and I would reconnect, only for it to disconnect again. I was told by a friend that someone else was sending her messages through my Yahoo. I quickly logged in and changed the password along...
CidMcTab Virus/Trojan/Spyware Help 1 02-26-2011 07:33 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 02:17 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts