Windows Recovery Virus!!! Help needed to remove

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 22, 2011 3:52 pm

I was just on internet and this thing comes up and started scanning my computer. And then I notice all my desktop icons are gone and that all files are gone. Help!!! what to do now?? How can i get it back to how it was?

OTL logfile created on: 5/22/2011 11:45:07 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 224.74 Gb Total Space | 170.66 Gb Free Space | 75.93% Space Free | Partition Type: NTFS

Computer Name: JAMES-PC | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 11:44:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
PRC - [2011/05/07 01:27:39 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 08:16:54 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe


========== Modules (SafeList) ==========

MOD - [2011/05/22 11:44:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/17 16:50:01 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/21 15:16:50 | 004,093,392 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/07/31 02:37:42 | 001,343,400 | ---- | M] () [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/11/21 01:12:44 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 06:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/08/16 10:26:29 | 006,637,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwLv32.sys -- (NETwLv32) Intel(R)
DRV - [2010/05/31 14:58:33 | 006,638,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 18:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2007/08/03 05:36:10 | 000,009,344 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 7A 2E 15 46 30 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z007&form=ZGAADF&q="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/07 01:27:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 01:27:42 | 000,000,000 | ---D | M]

[2010/07/30 20:08:55 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2011/05/07 01:27:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\extensions
[2011/04/03 15:24:31 | 000,001,919 | -H-- | M] () -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\searchplugins\bing-zugo.xml
[2011/04/18 16:18:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/30 23:41:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/07 01:27:39 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/07/30 23:41:06 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/07 01:27:41 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKCU..\Run: [kJoCBjsHlcALP] C:\ProgramData\kJoCBjsHlcALP.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: pps.tv ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: ppstream.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: webscache.com ([]http in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/22 11:09:25 | 000,000,000 | -H-D | C] -- C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
[2011/05/22 11:09:01 | 000,338,432 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\24502008.exe
[2011/05/22 11:03:51 | 000,411,136 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\kJoCBjsHlcALP.exe
[2011/05/16 16:09:02 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/10 20:15:21 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/05/10 20:15:21 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\poqexec.exe
[2011/05/10 20:15:20 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/05/01 18:29:00 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Blizzard Entertainment
[2011/04/29 23:23:10 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\ElevatedDiagnostics
[2011/04/26 19:02:40 | 000,000,000 | -H-D | C] -- C:\Program Files\World of Warcraft
[2011/04/26 19:02:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011/04/19 00:25:04 | 001,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\ProgramData\DynuEncrypt.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/22 11:27:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/22 11:27:07 | 2408,390,656 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/22 11:09:27 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:25 | 000,000,635 | -H-- | M] () -- C:\Users\James\Desktop\Windows 7 Recovery.lnk
[2011/05/22 11:09:03 | 000,000,344 | -H-- | M] () -- C:\ProgramData\24502008
[2011/05/22 11:09:01 | 000,338,432 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\24502008.exe
[2011/05/22 11:06:06 | 000,116,224 | ---- | M] () -- C:\Windows\System32\drivers\3622D08.sys
[2011/05/22 11:05:54 | 000,116,224 | ---- | M] () -- C:\Windows\System32\drivers\211FF05.sys
[2011/05/22 11:03:51 | 000,411,136 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\kJoCBjsHlcALP.exe
[2011/05/16 16:09:02 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/16 07:10:57 | 000,022,864 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/16 07:10:56 | 000,022,864 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/07 01:27:49 | 000,002,002 | -H-- | M] () -- C:\Users\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/26 23:22:53 | 000,632,946 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/26 23:22:53 | 000,110,548 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/22 11:09:27 | 000,000,144 | -H-- | C] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | -H-- | C] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:25 | 000,000,635 | -H-- | C] () -- C:\Users\James\Desktop\Windows 7 Recovery.lnk
[2011/05/22 11:09:03 | 000,000,344 | -H-- | C] () -- C:\ProgramData\24502008
[2011/05/22 11:06:06 | 000,116,224 | ---- | C] () -- C:\Windows\System32\drivers\3622D08.sys
[2011/05/22 11:05:54 | 000,116,224 | ---- | C] () -- C:\Windows\System32\drivers\211FF05.sys
[2011/04/18 16:09:34 | 000,000,375 | -H-- | C] () -- C:\Program Files\U_LUNIA_setup.exe.bfi
[2011/02/22 23:34:11 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/02/22 23:33:01 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/02/18 22:17:24 | 000,018,760 | ---- | C] () -- C:\Windows\System32\QQVistaHelper.dll
[2011/02/14 17:05:55 | 001,481,728 | ---- | C] () -- C:\Windows\System32\LegitCheckControl.dll
[2011/02/14 17:05:51 | 000,414,208 | ---- | C] () -- C:\Windows\System32\WgaTray.exe
[2011/02/14 17:05:51 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll
[2010/11/21 01:21:47 | 000,055,149 | ---- | C] () -- C:\Windows\War3Unin.dat
[2010/11/15 00:22:19 | 000,000,268 | -H-- | C] () -- C:\Program Files\data3.cab.bfi
[2010/11/15 00:22:15 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.inx.bfi
[2010/11/15 00:22:12 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.ini.bfi
[2010/11/15 00:22:09 | 000,000,187 | -H-- | C] () -- C:\Program Files\layout.bin.bfi
[2010/11/15 00:22:05 | 000,000,188 | -H-- | C] () -- C:\Program Files\ISSetup.dll.bfi
[2010/11/15 00:22:01 | 000,000,186 | -H-- | C] () -- C:\Program Files\data1.hdr.bfi
[2010/11/15 00:21:56 | 000,000,186 | -H-- | C] () -- C:\Program Files\data1.cab.bfi
[2010/11/15 00:21:52 | 000,000,187 | -H-- | C] () -- C:\Program Files\_Setup.dll.bfi
[2010/11/14 19:53:22 | 000,000,279 | -H-- | C] () -- C:\Program Files\data2.cab.bfi
[2010/11/14 19:53:08 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.exe.bfi
[2010/10/24 23:02:34 | 000,000,093 | -H-- | C] () -- C:\Users\James\AppData\Local\fusioncache.dat
[2010/09/01 14:43:09 | 000,886,272 | -H-- | C] () -- C:\Users\James\AppData\Roaming\System.Data.SQLite.DLL
[2010/09/01 14:43:06 | 000,141,207 | -H-- | C] () -- C:\Users\James\AppData\Roaming\3ulxy7893UL.exe
[2009/09/23 19:16:08 | 002,050,952 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,266,808 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,632,946 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,110,548 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/08 21:03:02 | 000,058,880 | ---- | C] () -- C:\Windows\System32\bdmpegv.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Files - Unicode (All) ==========
[2011/02/18 23:28:09 | 000,000,000 | -H-D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
[2011/02/18 23:28:09 | 000,000,000 | -H-D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
(C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:2B11E0DF

< End of report >


Last edited by zhengs on Sun May 22, 2011 11:30 pm; edited 2 times in total

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Sun May 22, 2011 8:41 pm

Hi,

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 22, 2011 9:04 pm

I already used it, but it was a full scan.

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6641

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

5/22/2011 1:56:57 PM
mbam-log-2011-05-22 (13-56-57).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 224282
Time elapsed: 39 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kJoCBjsHlcALP (Trojan.FakeMS.Gen) -> Value: kJoCBjsHlcALP -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\kjocbjshlcalp.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\drivers\211FF05.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\System32\drivers\3622D08.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\System32\spool\prtprocs\w32x86\4452CF6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\spool\prtprocs\w32x86\445FEF4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\0.33437767520489514.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\tmp2B80.tmp (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\tmp419F.tmp (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\tmpFEC6.tmp (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\LocalLow\Sun\Java\deployment\cache\6.0\30\50704d9e-1d75b647 (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\LocalLow\Sun\Java\deployment\cache\6.0\30\50704d9e-6aa7732c (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\programdata\24502008.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 22, 2011 11:32 pm

only someone desktop icons appeared back but not totally visible. Also the files and folders on my computer isn't totally visible. I have a lot file I didn't had before on my computer.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Mon May 23, 2011 2:03 am

Hi,


  • Please download and run [You must be registered and logged in to see this link.] by Grinler.
  • Double-click unhide.exe to run the program.
  • After running it, your files should reappear. Please let us know the result.

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Mon May 23, 2011 2:24 am

MY desktop icons are all back to normal. I don't know, but I have a lot of files and folders in my local disk that I didn't had before the virus got to my computer. My local disk is filled with all kind of folders and files that some appeared that I deleted long time ago? So I guessing they came from the virus? Also why is there a lock on the folder called Documents and Settings? And it wouldn't let me open the folder. For some reason, my internet seem to be much slower too. Whenever I search something on google, it takes me to a different link.Then the link will always ask me if I want to install something that I didn't click anything to install.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Mon May 23, 2011 3:11 am

Hi,

Let's see what this picks up

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Mon May 23, 2011 4:07 am

Just finished scan. I'm very tired, so I'm going to do this tomorrow. Just reply back and tell me what to do. And I'll do it tomorrow. Thanks!

ComboFix 11-05-21.03 - James 05/22/2011 23:44:07.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1690 [GMT -4:00]
Running from: c:\users\James\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\users\James\AppData\Local\TempDIR
c:\users\James\AppData\Roaming\3ulxy7893UL.exe
c:\users\James\AppData\Roaming\FFSJ
c:\users\James\AppData\Roaming\FFSJ\FFSJ.cfg
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 03:23 . 2011-04-30 03:23 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2011-04-26 23:02 . 2011-05-22 23:36 -------- d-----w- c:\program files\World of Warcraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:38 . 2011-04-12 20:08 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36 . 2011-04-12 20:08 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42 . 2011-04-12 20:08 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 04:48 . 2011-04-12 20:08 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 04:48 . 2011-04-12 20:08 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 04:47 . 2011-04-12 20:08 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 04:47 . 2011-04-12 20:08 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 04:47 . 2011-04-12 20:08 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 04:47 . 2011-04-12 20:08 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 04:47 . 2011-04-12 20:08 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-23 04:26 . 2011-02-23 03:33 811520 ----a-w- c:\windows\system32\user32.dll
2011-02-23 03:41 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2011-02-23 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-22 23:50:06
ComboFix-quarantined-files.txt 2011-05-23 03:50
.
Pre-Run: 182,745,776,128 bytes free
Post-Run: 182,437,625,856 bytes free
.
- - End Of File - - 04572B8B5B84C92A0130551006822D5E

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Mon May 23, 2011 6:07 am

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FCopy::
    c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll | c:\windows\System32\user32.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 24, 2011 2:15 am

I'm sorry for taking so long. I was busy today, but did what you told me to do.

10:14 PM 5/23/2011ComboFix 11-05-23.02 - James 05/23/2011 16:08:49.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.2204 [GMT -4:00]
Running from: c:\users\James\Downloads\ComboFix.exe
Command switches used :: c:\users\James\Downloads\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll --> c:\windows\System32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 20:12 . 2011-05-23 20:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-23 03:50 . 2011-05-23 20:12 -------- d-----w- c:\users\James\AppData\Local\temp
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 03:23 . 2011-04-30 03:23 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2011-04-26 23:02 . 2011-05-22 23:36 -------- d-----w- c:\program files\World of Warcraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:38 . 2011-04-12 20:08 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36 . 2011-04-12 20:08 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42 . 2011-04-12 20:08 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 04:48 . 2011-04-12 20:08 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 04:48 . 2011-04-12 20:08 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 04:47 . 2011-04-12 20:08 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 04:47 . 2011-04-12 20:08 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 04:47 . 2011-04-12 20:08 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 04:47 . 2011-04-12 20:08 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 04:47 . 2011-04-12 20:08 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-23 03:41 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-23 16:14:06
ComboFix-quarantined-files.txt 2011-05-23 20:14
ComboFix2.txt 2011-05-23 03:50
.
Pre-Run: 182,595,346,432 bytes free
Post-Run: 182,553,120,768 bytes free
.
- - End Of File - - 521666C6278B3F27898BD9E1FF013FA4

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Tue May 24, 2011 5:00 am

Hi,

How are things running now?

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 24, 2011 5:03 am

nothing changed still same problems listed above.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Tue May 24, 2011 4:53 pm

Hi,

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 24, 2011 8:08 pm

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6665

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

5/24/2011 4:06:42 PM
mbam-log-2011-05-24 (16-06-42).txt

Scan type: Quick scan
Objects scanned: 141339
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 24, 2011 8:18 pm

The virus might of gone away. The problem is that my computer is filled with junks that I maybe deleted a long time ago and it came back? Junks like folders, files, and many other stuff on the computer making it really slow. I believe the virus caused this and that some folders I can't access. It says location is not available access is denied.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Tue May 24, 2011 9:40 pm

Can you post a new OTL log please?

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 24, 2011 10:02 pm

OTL logfile created on: 5/24/2011 5:57:18 PM - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\James\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 72.22% Memory free
5.98 Gb Paging File | 5.08 Gb Available in Paging File | 84.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 224.74 Gb Total Space | 170.01 Gb Free Space | 75.65% Space Free | Partition Type: NTFS

Computer Name: JAMES-PC | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/24 17:56:33 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
PRC - [2011/05/07 01:27:39 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/24 17:56:33 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
MOD - [2009/07/13 21:15:48 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mssprxy.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/17 16:50:01 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/21 15:16:50 | 004,093,392 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/07/31 02:37:42 | 001,343,400 | ---- | M] () [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/11/21 01:12:44 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 06:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/08/16 10:26:29 | 006,637,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwLv32.sys -- (NETwLv32) Intel(R)
DRV - [2010/05/31 14:58:33 | 006,638,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 18:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2007/08/03 05:36:10 | 000,009,344 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 7A 2E 15 46 30 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z007&form=ZGAADF&q="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/07 01:27:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 01:27:42 | 000,000,000 | ---D | M]

[2010/07/30 20:08:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2011/05/07 01:27:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\extensions
[2011/04/03 15:24:31 | 000,001,919 | ---- | M] () -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\searchplugins\bing-zugo.xml
[2011/04/18 16:18:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/30 23:41:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/07 01:27:39 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/07/30 23:41:06 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/07 01:27:41 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/22 23:48:40 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: pps.tv ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: ppstream.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: webscache.com ([]http in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/23 16:14:08 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/05/23 16:13:36 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/05/22 23:50:08 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\temp
[2011/05/22 23:43:01 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/05/22 18:29:27 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2011/05/22 11:09:25 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
[2011/05/16 16:09:02 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/10 20:15:21 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/05/10 20:15:21 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\poqexec.exe
[2011/05/10 20:15:20 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/05/01 18:29:00 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Blizzard Entertainment
[2011/04/29 23:23:10 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\ElevatedDiagnostics
[2011/04/26 19:02:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011/04/26 19:02:40 | 000,000,000 | ---D | C] -- C:\Program Files\World of Warcraft
[2011/04/19 00:25:04 | 001,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\ProgramData\DynuEncrypt.dll
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/24 16:01:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/24 16:01:25 | 2408,390,656 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/23 00:32:00 | 000,022,864 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/23 00:32:00 | 000,022,864 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/22 23:48:40 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/05/22 11:09:27 | 000,000,144 | ---- | M] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | ---- | M] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:03 | 000,000,344 | ---- | M] () -- C:\ProgramData\24502008
[2011/05/16 16:09:02 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/12 00:34:23 | 000,000,929 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/05/07 01:27:49 | 000,002,002 | ---- | M] () -- C:\Users\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/26 23:22:53 | 000,632,946 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/26 23:22:53 | 000,110,548 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/26 22:27:00 | 000,000,998 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/22 23:46:13 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/05/22 23:46:13 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2011/05/22 23:46:13 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2011/05/22 23:46:13 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2011/05/22 23:46:13 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2011/05/22 23:46:13 | 000,001,072 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/22 22:12:23 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/05/22 22:12:23 | 000,001,551 | ---- | C] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2011/05/22 22:12:23 | 000,001,118 | ---- | C] () -- C:\Users\Public\Desktop\Game Booster.lnk
[2011/05/22 22:12:23 | 000,000,998 | ---- | C] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2011/05/22 22:12:23 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/22 22:12:23 | 000,000,929 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2011/05/22 22:12:23 | 000,000,875 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2011/05/22 11:09:27 | 000,000,144 | ---- | C] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | ---- | C] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:03 | 000,000,344 | ---- | C] () -- C:\ProgramData\24502008
[2011/04/18 16:09:34 | 000,000,375 | ---- | C] () -- C:\Program Files\U_LUNIA_setup.exe.bfi
[2011/02/22 23:34:11 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/02/22 23:33:01 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/02/18 22:17:24 | 000,018,760 | ---- | C] () -- C:\Windows\System32\QQVistaHelper.dll
[2011/02/14 17:05:55 | 001,481,728 | ---- | C] () -- C:\Windows\System32\LegitCheckControl.dll
[2011/02/14 17:05:51 | 000,414,208 | ---- | C] () -- C:\Windows\System32\WgaTray.exe
[2011/02/14 17:05:51 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll
[2010/11/21 01:21:47 | 000,055,149 | ---- | C] () -- C:\Windows\War3Unin.dat
[2010/11/15 00:22:19 | 000,000,268 | ---- | C] () -- C:\Program Files\data3.cab.bfi
[2010/11/15 00:22:15 | 000,000,186 | ---- | C] () -- C:\Program Files\setup.inx.bfi
[2010/11/15 00:22:12 | 000,000,186 | ---- | C] () -- C:\Program Files\setup.ini.bfi
[2010/11/15 00:22:09 | 000,000,187 | ---- | C] () -- C:\Program Files\layout.bin.bfi
[2010/11/15 00:22:05 | 000,000,188 | ---- | C] () -- C:\Program Files\ISSetup.dll.bfi
[2010/11/15 00:22:01 | 000,000,186 | ---- | C] () -- C:\Program Files\data1.hdr.bfi
[2010/11/15 00:21:56 | 000,000,186 | ---- | C] () -- C:\Program Files\data1.cab.bfi
[2010/11/15 00:21:52 | 000,000,187 | ---- | C] () -- C:\Program Files\_Setup.dll.bfi
[2010/11/14 19:53:22 | 000,000,279 | ---- | C] () -- C:\Program Files\data2.cab.bfi
[2010/11/14 19:53:08 | 000,000,186 | ---- | C] () -- C:\Program Files\setup.exe.bfi
[2010/10/24 23:02:34 | 000,000,093 | ---- | C] () -- C:\Users\James\AppData\Local\fusioncache.dat
[2010/09/01 14:43:09 | 000,886,272 | ---- | C] () -- C:\Users\James\AppData\Roaming\System.Data.SQLite.DLL
[2009/09/23 19:16:08 | 002,050,952 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,266,808 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,632,946 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,110,548 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/08 21:03:02 | 000,058,880 | ---- | C] () -- C:\Windows\System32\bdmpegv.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Files - Unicode (All) ==========
[2011/02/18 23:28:09 | 000,000,000 | ---D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
[2011/02/18 23:28:09 | 000,000,000 | ---D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
(C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:2B11E0DF

< End of report >

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 24, 2011 11:47 pm

I'll show a picture. I bet it's the main reason my computer is very slow right now; too much folders, files, etc. Some of the stuff I can't get rid of because it says access denied even though I'm logged in as administer.

[You must be registered and logged in to see this link.]


zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Wed May 25, 2011 2:50 am

Hi,

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    [2011/05/22 11:09:27 | 000,000,144 | ---- | C] () -- C:\ProgramData\~24502008r
    [2011/05/22 11:09:27 | 000,000,120 | ---- | C] () -- C:\ProgramData\~24502008
    [2011/05/22 11:09:03 | 000,000,344 | ---- | C] () -- C:\ProgramData\24502008

    :Commands
    [purity]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Wed May 25, 2011 3:31 am

========== OTL ==========
C:\ProgramData\~24502008r moved successfully.
C:\ProgramData\~24502008 moved successfully.
C:\ProgramData\24502008 moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.23.0 log created on 05242011_233041

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Wed May 25, 2011 3:21 pm

Has that changed anything?

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Wed May 25, 2011 8:01 pm

nope, there are still a lot folders and files.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Thu May 26, 2011 12:44 am

Run ComboFix once more please

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu May 26, 2011 1:33 am

D you know if there is anyway to restore back the stuff I had way before when I had that virus?

ComboFix 11-05-25.01 - James 05/25/2011 21:25:59.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.2142 [GMT -4:00]
Running from: c:\users\James\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 03:23 . 2011-04-30 03:23 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2011-04-26 23:02 . 2011-05-22 23:36 -------- d-----w- c:\program files\World of Warcraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:38 . 2011-04-12 20:08 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36 . 2011-04-12 20:08 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42 . 2011-04-12 20:08 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-25 21:32:38
ComboFix-quarantined-files.txt 2011-05-26 01:32
.
Pre-Run: 182,362,046,464 bytes free
Post-Run: 182,323,998,720 bytes free
.
- - End Of File - - 3D8C4AE26F098942161AD6C2F29AC5EC

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Thu May 26, 2011 3:18 am

What do you mean by that?

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu May 26, 2011 4:09 am

Remember the picture I showed you? When I go into my Local Disk (C:), it didn't look like that. It was normal until I got that Windows Recovery on my computer and maybe created those files, folders, and those locks on them. I was wondering if there is anyway I can get it to how it looked like before that picture. Some of the folders, files, etc. have like locks on them, which I don't even know why. Let say I googled "GeekPolice" and I clicked on 1 of the links shown. Instead of taking me to the website, it totally takes me to a different website like this 1: [You must be registered and logged in to see this link.]

Somehow it takes me pretty long to go to a website, which loads pretty slow. It wasn't like this before. I got a question. Is the virus even removed? If you can't help me, I'll just go reinstall windows 7, and re-download all the program and software I had on my computer. That I think is the best way to restore everything back the way I had.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Crush on Fri May 27, 2011 12:36 am

Hi,


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Fri May 27, 2011 2:21 am

Nothing happens when I double click on TDSSKiller.exe

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sat May 28, 2011 5:05 am

bump. no reply for 2 days....

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Sat May 28, 2011 8:16 pm

Hi zhengs,

Crush is helping another helper that is on vacation.

Okay, Right-click TDSSKiller and select Run As Administrator. Copy/paste the contents of it into your next reply


Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 29, 2011 3:04 am

[You must be registered and logged in to see this link.] wrote:Hi zhengs,

Crush is helping another helper that is on vacation.

Okay, Right-click TDSSKiller and select Run As Administrator. Copy/paste the contents of it into your next reply


Did that too and didn't do anything.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Sun May 29, 2011 4:28 am

Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (Example: puppy.com). If you do not see the file extension, please refer to: [You must be registered and logged in to see this link.]


  • Then Click the Start Scan button
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Next


ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read [You must be registered and logged in to see this link.].


  • Please go [You must be registered and logged in to see this link.] then click on:
  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:


    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

  • Now click on:
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


In your next reply, please include these log(s):

1.TDSSKiller report
2.ESET Online report


Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 29, 2011 5:35 am

Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (Example: puppy.com). If you do not see the file extension, please refer to: [You must be registered and logged in to see this link.]


  • Then Click the Start Scan button
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Still doesn't work.


Last edited by zhengs on Sun May 29, 2011 5:53 am; edited 1 time in total

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Sun May 29, 2011 5:51 am

TDSSKiller is giving us a hard time. Good chance your PC policies that have been affected by malware.


  • Download [You must be registered and logged in to see this link.] by Bill Castner and save it to your desktop.
  • Right-click on FixPolicies.exe & select RUN AS ADMINISTRATOR
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs


Next

Drag TDSSKiller icon into the recycle bin. Download a fresh copy. Run TDSSKiller as in my previous post. Run ESET Online Scanner next. Even if you can't run TDSSKiller.

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 29, 2011 7:19 am

Nothing happened after running tdsskiller after reboot.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=7179bbf29e298d4a9226c5b68864d184
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-29 06:56:58
# local_time=2011-05-29 02:56:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 7296061 58193272 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=109889
# found=19
# cleaned=0
# scan_time=3737
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\649294e6-71055772 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39982b61 a variant of Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-177627f6 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\474f9daa-227fa994 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4c81ed73-73050f42 probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\32171ff4-625267dd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-12c91330 Java/TrojanDownloader.Agent.NCA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-23bf33ce Java/TrojanDownloader.Agent.NCA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4425dafa-1c19fe4c multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\649294e6-71055772 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39982b61 a variant of Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-177627f6 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\474f9daa-227fa994 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4c81ed73-73050f42 probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\32171ff4-625267dd multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-12c91330 Java/TrojanDownloader.Agent.NCA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-23bf33ce Java/TrojanDownloader.Agent.NCA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4425dafa-1c19fe4c multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\James\Downloads\FDMSetup.exe a variant of Win32/Adware.HotBar.H application (unable to clean) 00000000000000000000000000000000 I

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Sun May 29, 2011 1:00 pm

Hi,

I'll be busy for the next few days, when I get back we'll finish up. Your PC is safe to surf the net until then.

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL

    :files
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\649294e6-71055772
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39982b61   
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-177627f6   
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\474f9daa-227fa994
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4c81ed73-73050f42
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\32171ff4-625267dd
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-23bf33ce
    C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4425dafa-1c19fe4c
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\649294e6-71055772
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39982b61   
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-177627f6   
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\474f9daa-227fa994
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4c81ed73-73050f42
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\32171ff4-625267dd
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-12c91330
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-23bf33ce
    C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4425dafa-1c19fe4c
    C:\Users\James\Downloads\FDMSetup.exe   
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done.


Post resulting log.

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun May 29, 2011 8:06 pm

All processes killed
========== OTL ==========
========== FILES ==========
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\649294e6-71055772 moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39982b61 moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-177627f6 moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\474f9daa-227fa994 moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4c81ed73-73050f42 moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\32171ff4-625267dd moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-23bf33ce moved successfully.
C:\Documents and Settings\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4425dafa-1c19fe4c moved successfully.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\649294e6-71055772 not found.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39982b61 not found.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\b692329-177627f6 not found.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\474f9daa-227fa994 not found.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4c81ed73-73050f42 not found.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\32171ff4-625267dd not found.
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-12c91330 moved successfully.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\3e8b0db5-23bf33ce not found.
File\Folder C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4425dafa-1c19fe4c not found.
File\Folder C:\Users\James\Downloads\FDMSetup.exe not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\James\Downloads\cmd.bat deleted successfully.
C:\Users\James\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: James
->Temp folder emptied: 173946493 bytes
->Temporary Internet Files folder emptied: 18961758 bytes
->Java cache emptied: 14397103 bytes
->FireFox cache emptied: 19422971 bytes
->Flash cache emptied: 2219 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 526253 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2559544 bytes

Total Files Cleaned = 219.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: James
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 05292011_103339

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP0000000174F21DAB185B250A not found!

Registry entries deleted on Reboot...

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Mon May 30, 2011 7:41 pm

Some of the stuff I can't get rid of because it says access denied even though I'm logged in as administer.
UAC is at fault. Visit this site:

[You must be registered and logged in to see this link.]


The reason why this happens with UAC enable. As in your C:\ Drive... Because Admin User Account Control handles the users of the administrators group as a standard user/users.

You can use this tool to turn off and turn on UAC at:

[You must be registered and logged in to see this link.]

Let me know how it went?


Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 31, 2011 3:33 am

k I installed it. What do I do now?

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Tue May 31, 2011 11:27 am

Click turn UAC off now. Reboot your PC. You should have access to those files now.

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 31, 2011 8:08 pm

Yes, it works. Now what?

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Tue May 31, 2011 8:28 pm

Purge old temporary files. Now that we are done.... Smile

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

You should keep TFC and run it once a week.


Your Computer is Clean



Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


It's a good idea to Flush your System Restore after removing malware and create a new restore point.


To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
[You must be registered and logged in to see this link.].
[You must be registered and logged in to see this link.].


Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.], both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.


Additional Security Measures

[You must be registered and logged in to see this link.]

Visit Microsoft's Windows Update Site Frequently - It is important that you visit [You must be registered and logged in to see this link.] regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

[You must be registered and logged in to see this link.]- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] - Two good disc defragmenters for you to choose from to help speed up your computer.

[You must be registered and logged in to see this link.]




Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Tue May 31, 2011 10:37 pm

No no no.... MY computer is slow and get very hot now. So what do I do with all the files and folders on my computer? What if I can't delete it? Why when I search something on google, it brings me to another link when I click on the link? And there are some processes associated with the virus that might have something to do with the googling links I did. There are so many more problems haven't been solved yet......

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Tue May 31, 2011 10:51 pm

MY computer is slow and get very hot now.
Sounds like a hardware problem.

So what do I do with all the files and folders on my computer?
What files and folders? Are you referring to?

There are so many more problems haven't been solved yet......
What are the others problems? Other than redirects?

What if I can't delete it?
Have you tried,,,,,,,, now that UAC is turned off?

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Wed Jun 01, 2011 12:19 am

The computer wasn't burning up and slow until that virus got into it. Files and folders that just came in my C: drive and flooded into my other folders that I had. It wasn't like that before the virus came, so I thought maybe it was the virus. I have no idea... I thought I could just delete them, but there are too many folders and files everywhere created by it. Some of them can't be deleted. I don't know all folders and files that are created by the virus or not. You can see the picture of my C: drive on page 2. There is more to it when you open into the folders, which contains more and more folders and files. Does too much folders and files on the computer make it slow for me?

I always use Google to google things. Whenever I click on the link I googled, I get send to another different place. The link quickly changed to something else that wasn't even a website. That's why I always have to type the website in the link bar now. But it wasn't like this after the virus got onto my computer. I kinda got frustrated that my computer couldn't be the way it was before. I don't know what to do. I'm sorry I can't explained it so well, but that's all my problems I have right now.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Wed Jun 01, 2011 1:43 am

Does too much folders and files on the computer make it slow for me?
No. Not at all with the amount of RAM you have install. A lot of the files are system files in your C: drive... Some are non system files. Like this one:

U_SUN_setup.exe

[You must be registered and logged in to see this link.]

Part of a install.

Disk Cleanup would help at:

[You must be registered and logged in to see this link.]

Okay, I'm more concern about the google redirects. Are you behind a router?

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Wed Jun 01, 2011 4:24 am

But still not all the folders and files gone away. Yes, I'm using a router for the modem.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Wed Jun 01, 2011 11:12 am

Your Router seems to be infected as well. Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


1. Very important: First disconnect your computers from the Internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

3. Reset the IP/DNS settings of your Internet connection on each computer connected:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).

    • Under General tab:

      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".



  • Click OK twice to save the settings.
  • Reboot if you had to change any setting.

4. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:

    Code:
    ipconfig /flushdns
  • Then hit enter.
  • Exit the command window.

4. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

Then checks for redirects and let me know if the redirectsn are gone?

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Wed Jun 01, 2011 2:23 pm

3. Reset the IP/DNS settings of your Internet connection on each computer connected


Is it okay if I only reset mine? There are other computers connected the internet that isn't mine and they are gone for vacation. Also I only reset my computer and seem like it didn't work.

zhengs
Senior
Senior

Status :
Online
Offline

Posts : 228
Joined : 2009-01-02
Gender : Male
OS : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Wed Jun 01, 2011 5:44 pm

Just your computer would be fine. But if you can't, move on to step 4.

Let me know if the Google redirects are still happening?

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum