BleepingComputer.com: Cannot boot computer after running Norton Power Eraser

Here's my story, hope someone out there can help me fix this on my own! I have a Dell Inspiron 570, AMD Athlon II X4-630 processor, Windows 7 64 bit...purchased May 2011. I came with 3 free years of McAfee, theres my mistake! Firewall kept shutting itself down so I have a virus. Couldn't fix it, bought Norton 360. Ran a scan, found tracking cookies. Still had the virus. Could not access Google, kept getting messages stating I was out of memory at line 35, etc, walked past my computer and caught it sending emails to a bank. Ugh! So I ran Power Eraser and now I can't boot my computer. Tried safe mode, system repair, Dell Data Safe, restore from a previous point, nothing works. This was yesterday, now today that previous restore point doesn't even show up on the list. What should I do?

Saw a post from a few days ago on this forum about getting a flash drive and downloading something. Shall I try that? I'm good with computers if I have good instructions. Please help, thanks!

Mod Edit: OP posted FRST log, moved to MRL ~ Hamluis.

This post has been edited by hamluis: 29 January 2012 - 09:49 PM
Reason for edit: Moved from Win 7 to Am I Infected.

Also, I believe the virus it found was called backdoor.bot. And one more piece of info you may need...I do not have a Windows 7 disc, it came pre-installed on my computer from Dell.

This post has been edited by jcornell16: 29 January 2012 - 01:10 PM

I ran the Farbar recovery scan that another user with the same issue as told to do by Surgeon General from the malware team. Here is my log:

Scan result of Farbar Recovery Scan Tool Version: 28-01-2012
Ran by SYSTEM at 2012-01-28 15:06:58
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8321568 2009-11-09] (Realtek Semiconductor)
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207350 2011-01-25] ()
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1484856 2010-09-30] (McAfee, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM\...\RunOnce: [EDocs] C:\Program Files\Dell Inc\Dell Edoc Viewer\EDocs.exe /s [1499648 2010-04-28] (Dell Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

==================== Services (Whitelisted) ======

2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [509416 2010-10-07] (McAfee, Inc.)
2 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [200056 2010-10-13] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [245352 2010-10-13] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [149032 2010-10-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2010-03-10] (McAfee, Inc.)
2 NOBU; "C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe" SERVICE [2823000 2010-08-25] (Dell, Inc.)
3 RoxMediaDB12OEM; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" [1116656 2010-11-25] (Sonic Solutions)
2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [x]

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\drivers\cfwids.sys [62800 2010-10-13] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121248 2010-10-13] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [190136 2010-10-13] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [441328 2010-10-13] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [529128 2010-10-13] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75032 2010-10-13] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [94864 2010-10-13] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [283360 2010-10-13] (McAfee, Inc.)

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-01-28 16:09 - 2012-01-28 16:09 - 0000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk
2012-01-28 16:09 - 2012-01-28 16:09 - 0000452 ____A C:\Users\All Users\Desktop\Emergency Backup.lnk
2012-01-28 16:02 - 2012-01-28 16:02 - 0000000 ____D C:\Emergency
2012-01-28 15:42 - 2012-01-28 15:42 - 0000000 ____D C:\Windows\SMINST
2012-01-28 15:06 - 2012-01-28 15:07 - 0000000 ____D C:\FRST

============ 3 Months Modified Files and Folders =============

2012-01-28 16:09 - 2012-01-28 16:09 - 0000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk
2012-01-28 16:09 - 2012-01-28 16:09 - 0000452 ____A C:\Users\All Users\Desktop\Emergency Backup.lnk
2012-01-28 16:02 - 2012-01-28 16:02 - 0000000 ____D C:\Emergency
2012-01-28 16:02 - 2011-05-09 09:21 - 0000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2012-01-28 15:42 - 2012-01-28 15:42 - 0000000 ____D C:\Windows\SMINST
2012-01-28 15:07 - 2012-01-28 15:06 - 0000000 ____D C:\FRST

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 5886.98 MB
Available physical RAM: 5265.19 MB
Total Pagefile: 5885.13 MB
Available Pagefile: 5248.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:917.66 GB) (Free:889.97 GB) NTFS
4 Drive f: () (Removable) (Total:3.73 GB) (Free:3.68 GB) FAT32
7 Drive i: (RECOVERY) (Fixed) (Total:13.81 GB) (Free:5.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 3819 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 13 GB 40 MB
Partition 3 Primary 917 GB 13 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 39 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 I RECOVERY NTFS Partition 13 GB Healthy

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 917 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3818 MB Healthy


==========================================================
TDL4: custom:26000022
==========================================================

Last Boot: 2011-05-09 11:04

======================= End Of Log ==========================

Hello jcornell16,

Welcome to this forum.

Please download  fixlist.txt (157bytes)
Number of downloads: 54
Save it to your flash drive.
Boot to System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also please restart the computer, let it boot normally and tell me how it went.

I booted to system recovery options and I get
startup repair
system restore
system image recovery
windows memory diagnostic
command prompt
dell datasafe restore

I assume you want me to go to the command prompt. From there the screen says x:\windows\system32>. Now what?

Curious why it is looking at the x drive. Shouldn't it be c?

Ok, just figured it out. Here it is:

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 28-01-2012
Ran by SYSTEM at 2012-01-29 14:16:46 R:1
Running from J:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value deleted successfully.

========= bootrec /FixMbr =========

ÿþT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

I just booted and it seems to be working. Its setting it up for first time use. Will all my data be somewhere? Like my program for my camera, itunes? Dell datasafe? Its up and running.

Great.

Quote

What do you mean?

Please don't run any program or scan or cleaner until I let you know it is safe.

I just see you were online but not replying to my query.

Just to let you know I'm going to sleep now. I'm in another time zone.

Well it turns out that I am finding all of my files, such as, saved e-mails from my Windows Live mail client, internet favorites, etc. How do I get these old saved e-mail messages back into Windows Live again? How do I get my favorites restored? How do I restore my e-mail contacts and where do I find them? It appears that my Dell Data Safe backed up everything. I can find all of it on the hard drive, I just need help figuring out how to get it all back where it goes.

I have a camera program. Do I need to re-install it? Do I need to re-install my printer? Do I need to re-install iTunes for my iPod? These are things I need help with now.

This post has been edited by jcornell16: 30 January 2012 - 09:18 PM

And thanks again for all of your help! I am so grateful to have my computer back and you will be compensated for this!

This post has been edited by jcornell16: 30 January 2012 - 09:20 PM

Quote

As I understand Dell data safe restores the computer to the factory default isn't it?

• Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:
  
  

  @ECHO OFF
  Dir /a c:\ >log.txt
  Dir /a/b/s "%temp%" >>log.txt
  notepad log.txt
  

  
  
  • Go to the File menu at the top of the Notepad and select Save as.
    
  • Select Save in: desktop
    
  • Fill in File name: look.bat
    
  • Save as type: All file types (*.*)
    
  • Click save.
    
  • Close the Notepad.
    
  • Locate look.bat on the desktop.
    
  • Right-click to run it as administrator.
    
  • A notepad opens, copy and paste the content (log.txt) to your reply.
  
  
• Please download unhide.exe to your desktop and run it.
  
  
• Please download Malwarebytes' Anti-Malware from one of these locations:
  malwarebytes.org
  majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
    
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    
  • If an update is found, it will download and install the latest version.
    
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    
  • The scan may take some time to finish,so please be patient.
    
  • When the scan is complete, click OK, then Show Results to view the results.
    
  • Make sure that everything is checked, and click Remove Selected.
    
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    
  • Copy&Paste the MBAM log.
  
  Extra Note:
  If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

I won;t be able to do this until this afternoon, about 8 hours from now, heading to work. But I will do it, thanks!

First: Yes, Dell data safe restored it to factory settings.
Second: Here is the look.bat file.....will post reply to last steps in another post.......
Volume in drive C is OS
Volume Serial Number is 3206-3198

Directory of c:\

01/30/2012 04:24 PM <DIR> $RECYCLE.BIN
05/09/2011 09:46 AM <DIR> Apps
01/30/2012 04:33 PM <DIR> Cook'n
01/30/2012 07:38 PM <DIR> dell
05/09/2011 11:57 AM 30,880 dell.sdr
07/13/2009 11:08 PM <JUNCTION> Documents and Settings [C:\Users]
05/09/2011 11:25 AM <DIR> Drivers
01/29/2012 01:20 PM <DIR> Emergency
01/28/2012 03:07 PM <DIR> FRST
01/30/2012 07:38 PM 4,629,704,704 hiberfil.sys
01/28/2012 04:47 PM 80 log.txt
01/31/2012 03:55 PM <DIR> MSOCache
01/30/2012 07:38 PM 6,172,942,336 pagefile.sys
07/13/2009 09:20 PM <DIR> PerfLogs
01/30/2012 05:14 PM <DIR> Program Files
01/30/2012 05:30 PM <DIR> Program Files (x86)
01/30/2012 07:26 PM <DIR> ProgramData
01/30/2012 05:29 PM <DIR> System Volume Information
05/09/2011 09:22 AM <DIR> Temp
01/30/2012 04:37 PM <DIR> Users
01/30/2012 04:45 PM <DIR> WINDOWS
4 File(s) 10,802,678,000 bytes
17 Dir(s) 920,242,589,696 bytes free
C:\Users\Bobnjill\AppData\Local\Temp\01301739-00004094-p77y4bj207
C:\Users\Bobnjill\AppData\Local\Temp\01301958-00000328-mibfvvuecu
C:\Users\Bobnjill\AppData\Local\Temp\01302022-000038cc-k37jlxiqlv
C:\Users\Bobnjill\AppData\Local\Temp\01310553-000054e8-8xnw8oav7g
C:\Users\Bobnjill\AppData\Local\Temp\01311501-00005b54-d7bzv3u5jo
C:\Users\Bobnjill\AppData\Local\Temp\01311533-000055d0-vqv3mz6uji
C:\Users\Bobnjill\AppData\Local\Temp\AAWInstallerTemp
C:\Users\Bobnjill\AppData\Local\Temp\adaware-manifest.xml
C:\Users\Bobnjill\AppData\Local\Temp\au-descriptor-1.6.0_30-b12.xml
C:\Users\Bobnjill\AppData\Local\Temp\AUCHECK_CORE.txt
C:\Users\Bobnjill\AppData\Local\Temp\AUCHECK_PARSER.txt
C:\Users\Bobnjill\AppData\Local\Temp\BingBarInstallerLogs
C:\Users\Bobnjill\AppData\Local\Temp\Bobnjill.bmp
C:\Users\Bobnjill\AppData\Local\Temp\Commands.xml
C:\Users\Bobnjill\AppData\Local\Temp\CVHLauncher(201201311549516A68).log
C:\Users\Bobnjill\AppData\Local\Temp\CVR36F8.tmp.cvr
C:\Users\Bobnjill\AppData\Local\Temp\FXSAPIDebugLogFile.txt
C:\Users\Bobnjill\AppData\Local\Temp\hsperfdata_Bobnjill
C:\Users\Bobnjill\AppData\Local\Temp\jusched.log
C:\Users\Bobnjill\AppData\Local\Temp\Low
C:\Users\Bobnjill\AppData\Local\Temp\mavcperf-setup.log
C:\Users\Bobnjill\AppData\Local\Temp\mnyADA.tmp
C:\Users\Bobnjill\AppData\Local\Temp\mnypkg.log
C:\Users\Bobnjill\AppData\Local\Temp\mnyscost.log
C:\Users\Bobnjill\AppData\Local\Temp\mnysetup.log
C:\Users\Bobnjill\AppData\Local\Temp\mnysyspk.log
C:\Users\Bobnjill\AppData\Local\Temp\MSN3776.exe
C:\Users\Bobnjill\AppData\Local\Temp\MSN3776.tmp
C:\Users\Bobnjill\AppData\Local\Temp\nsg1123.tmp
C:\Users\Bobnjill\AppData\Local\Temp\OOBE(2012013017142415F4).log
C:\Users\Bobnjill\AppData\Local\Temp\Sonic.tmp
C:\Users\Bobnjill\AppData\Local\Temp\Sonic1.tmp
C:\Users\Bobnjill\AppData\Local\Temp\Sonic2.tmp
C:\Users\Bobnjill\AppData\Local\Temp\Sonic3.tmp
C:\Users\Bobnjill\AppData\Local\Temp\Sonic4.tmp
C:\Users\Bobnjill\AppData\Local\Temp\StructuredQuery.log
C:\Users\Bobnjill\AppData\Local\Temp\TASC9A4.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD27CF.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD2800.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD2812.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD42C5.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD43D0.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD43E1.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD4441.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD459A.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD4657.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD484D.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD48FA.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD495A.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD49B9.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD4A19.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD4AD6.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD4E71.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD4F1E.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD51EE.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD54CD.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD54FE.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD5609.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD5734.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD5C64.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD5FC0.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD601F.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD607F.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD60DE.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD613E.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD61AD.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD620D.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD626C.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD62CC.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD632C.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD638B.tmp
C:\Users\Bobnjill\AppData\Local\Temp\TCD68CB.tmp
C:\Users\Bobnjill\AppData\Local\Temp\VirtualizationBootstrapper(20120130171443190C).log
C:\Users\Bobnjill\AppData\Local\Temp\wlsCCB2.tmp
C:\Users\Bobnjill\AppData\Local\Temp\wlsCD8D.tmp
C:\Users\Bobnjill\AppData\Local\Temp\wmsetup.log
C:\Users\Bobnjill\AppData\Local\Temp\WPDNSE
C:\Users\Bobnjill\AppData\Local\Temp\_ir_tu2_temp_0
C:\Users\Bobnjill\AppData\Local\Temp\{6c97a91e-4524-4019-86af-2aa2d567bf5c}
C:\Users\Bobnjill\AppData\Local\Temp\~DF1B12A42A0EC5AB79.TMP
C:\Users\Bobnjill\AppData\Local\Temp\~DF8757803B9EBB0AD7.TMP
C:\Users\Bobnjill\AppData\Local\Temp\AAWInstallerTemp\v9.0.7
C:\Users\Bobnjill\AppData\Local\Temp\AAWInstallerTemp\v9.0.7\Ad-Aware.msi
C:\Users\Bobnjill\AppData\Local\Temp\BingBarInstallerLogs\i3800.tmp
C:\Users\Bobnjill\AppData\Local\Temp\BingBarInstallerLogs\i3801.tmp
C:\Users\Bobnjill\AppData\Local\Temp\BingBarInstallerLogs\un4901.tmp
C:\Users\Bobnjill\AppData\Local\Temp\BingBarInstallerLogs\un4930.tmp
C:\Users\Bobnjill\AppData\Local\Temp\Low\Cookies
C:\Users\Bobnjill\AppData\Local\Temp\Low\History
C:\Users\Bobnjill\AppData\Local\Temp\Low\Messenger Companion
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files
C:\Users\Bobnjill\AppData\Local\Temp\Low\Cookies\bobnjill@ebay[1].txt
C:\Users\Bobnjill\AppData\Local\Temp\Low\Cookies\bobnjill@main.ebayrtm[1].txt
C:\Users\Bobnjill\AppData\Local\Temp\Low\Cookies\index.dat
C:\Users\Bobnjill\AppData\Local\Temp\Low\History\History.IE5
C:\Users\Bobnjill\AppData\Local\Temp\Low\History\History.IE5\desktop.ini
C:\Users\Bobnjill\AppData\Local\Temp\Low\History\History.IE5\index.dat
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\2D1JLGLN
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\7Q6CPH10
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\E5FEMBV4
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\index.dat
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\VGQSDHJ6
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\2D1JLGLN\desktop.ini
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\2D1JLGLN\nm1d4ksdye4zhe2cwmea4nd4s[1].js
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\7Q6CPH10\341wgvdjgy2abb1qzf3cxflzf[1].js
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\7Q6CPH10\desktop.ini
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\7Q6CPH10\qicc5beyw2zejm0u4bus2lv3u[1].js
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\E5FEMBV4\desktop.ini
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\E5FEMBV4\mboeyw2oh2ydjocnjvtfknynx[1].css
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\E5FEMBV4\rb2d5vvjxi5xdh0j552zr5fom[1].css
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\VGQSDHJ6\desktop.ini
C:\Users\Bobnjill\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\VGQSDHJ6\tpmi3ixde21ktcyut0w0gqzck[1].js
C:\Users\Bobnjill\AppData\Local\Temp\mnyADA.tmp\swflash.inf
C:\Users\Bobnjill\AppData\Local\Temp\mnyADA.tmp\swflash.ocx
C:\Users\Bobnjill\AppData\Local\Temp\TCD4657.tmp\CleanGradient.thmx
C:\Users\Bobnjill\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG1.BMP
C:\Users\Bobnjill\AppData\Local\Temp\{6c97a91e-4524-4019-86af-2aa2d567bf5c}\geodata.xml

Step 3: Unhide. Not sure what to do with it, saved to desktop but nothing happened. Opens up as a command prompt black screen.
Step 4: Here's the MBAM log....

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.31.09

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Bobnjill :: BOBNJILL-PC [administrator]

1/31/2012 4:53:19 PM
mbam-log-2012-01-31 (16-53-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192550
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Another Question....are McAfee and Norton still on my computer? How do I completely remove if they still show up in the registry after uninstall? I am now using Spybot and Ad-Aware.