Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Recovery Virus After Doing Uninstall Guide


  • Please log in to reply
11 replies to this topic

#1 sabatweeny

sabatweeny

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 15 June 2011 - 12:03 PM

Dear Bleeping Computer,

First off, many thanks for the work you do and the information on this site. You guys are a god-send. I was infected with the windows 7 recovery virus and went through all your steps on the uninstall guide. I had to do this multiple times (it seemed) before I got all the error messages to go away. I have run and re-run updated versions of Malaware Anti-malware, McAfee, and Super Anti-virus scan (or something along those lines). They have persistently found ?other trojans on my repeat scans. Finally, yesterday, I ran all 3 programs and all the scans were clean. Some of my remaining questions are detailed below. I wholeheartedly appreciate any and all help you can provide.

1. Do these trojans come back and back after being deleted/cleaned through your uninstall guide?

2. Also, I ran your unhide program and it worked beautifully for everything EXCEPT what's in my start menu folder. I've run the program multiple times but the folders within the start menu folder still say "empty." Can you please help with this? It's not

3. One reason I think I still ahve the trojan, however, is this... I downloaded the RKill program onto my flash drive (all iterations of it) but as soon as I put the flash drive into my computer at home, the programs one-by-one disappear from the flash drive in front of my eyes. I've never seen anything like this before but it happened on multiple occasions. This is why I'm worried I still have the virus. Any suggestions?

Lastly, is there anyway to know for certain whether my system is clean? I have the most recent updated versions of malware antimalware, super scan, and mcafee and I ran those scans last night and they didn't find anything, but I'm still not fully convinced.

Many, many thanks again for all your help and best wishes!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:30 AM

Posted 15 June 2011 - 09:31 PM

Windows Recovery infection in many cases doesn't come alone.
Your computer may still be infected.

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

================================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 sabatweeny

sabatweeny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 21 June 2011 - 01:43 AM

Hello and many thanks for your super fast response.

I have posted my logs to the end of this posting but just wanted to ask you about the following points:

(1) Have you ever seen programs automatically deleted from a flash drive once they have been inserted into the USB hub of a computer? This is what happened to me re: the RKill program.

(2) Is there any way to get all my programs listed back in my start menu folder? I ran "unhide" and it worked for everything except the listings in the start menu... those are all listed as "(empty)" even though I can find all the files individually when going through windows explorer.

(3) After downloading aswMBR program, I (perhaps incorrectly?) choose to say yes to downloading their definition files. This was automaticlaly prompted once I ran this program. It took a few moments to get the definition files and then I pressed scan. After about 3 minutes, my computer spazzed out and I got a blue screen in the middle of my monitor (sqaure shaped and not encompassing the whole monitor), with white writing on it. Single spaced text. I couldn't read it all b/c my computer automatically rebooted within a few seconds after this blue screen appeared. I did make out something along the lines of preparing disk for dumping or boot for dumping, or something like this. I started the computer again and again tried to do this program by pressing scan and again the same thing happened with the blue screen and automatic shut down. I got nervous at this point so I "deleted" the file from my desktop and then re-downloaded it to my desktop but again the definition files were present. So, I changed the bottom scroll bar from AV "quick scan" to "(none)" and then it scanned quickly and without the blue screen error showing up. Thats the log that is posted at the very bottom. **BUT, can you please tell me what this blue screen means? I've never seen it before I ran this program.

LOG #1: this is the malwarebytes scan you requested in your response to me (quick scan)...
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6907

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/21/2011 1:58:34 AM
mbam-log-2011-06-21 (01-58-34).txt

Scan type: Quick scan
Objects scanned: 164528
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


LOG #2: this was a malwarebytes "complete scan" I ran about a week ago when I was trying to rid my computer of the recovery virus. It actually found a trojan, which I subsequently deleted. I know you didn't request this log to be sent, but perhaps it may be helpful? Sorry if not!!
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6854

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/14/2011 7:07:36 PM
mbam-log-2011-06-14 (19-07-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 437361
Time elapsed: 3 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VyuAmrmEfIELC (Rogue.Agent.SA) -> Value: VyuAmrmEfIELC -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


LOG #3: the 2nd program scan you had asked for....
aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-21 02:30:34
-----------------------------
02:30:34.876 OS Version: Windows x64 6.1.7600
02:30:34.876 Number of processors: 8 586 0x1E05
02:30:34.876 ComputerName: THEBEE UserName: Tates
02:30:37.466 Initialize success
02:30:44.127 AVAST engine defs: 11062002
02:30:55.452 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
02:30:55.452 Disk 0 Vendor: TOSHIBA_MK5056GSY LH003D Size: 476940MB BusType: 11
02:30:57.512 Disk 0 MBR read successfully
02:30:57.512 Disk 0 MBR scan
02:30:57.512 Disk 0 unknown MBR code
02:30:57.512 Service scanning
02:30:59.633 Disk 0 trace - called modules:
02:30:59.649 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
02:30:59.649 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004e48060]
02:30:59.664 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004b1f680]
02:30:59.664 Scan finished successfully
02:31:13.626 Disk 0 MBR has been saved successfully to "C:\Users\Tates\Desktop\MBR.dat"
02:31:13.626 The log file has been saved successfully to "C:\Users\Tates\Desktop\aswMBR.txt"

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:30 AM

Posted 21 June 2011 - 05:40 PM

Your MBAM log says "No action taken".
Please, re-run MBAM, FIX all items and post fresh log.

Then....

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 sabatweeny

sabatweeny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 June 2011 - 03:12 AM

Hello again and thx for your continued assistance.

As requested, here is the new MBAM log from my quick scan:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6964

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/27/2011 11:46:40 PM
mbam-log-2011-06-27 (23-46-40).txt

Scan type: Quick scan
Objects scanned: 166616
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Also, this is my GMER log:
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-28 02:59:09
Windows 6.1.7600
Running: ti3q2dq9.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50631396bf94
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50631396bf94@002557f557db 0xC4 0x44 0xBE 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50631396bf94 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50631396bf94@002557f557db 0xC4 0x44 0xBE 0xC2 ...

---- EOF - GMER 1.0.15 ----

I ran GMER after disabling McAfee and the firewalls as requested.

I also re-ran the program un-hide but my start menu folders are still not visible! I can click on the actual folders in the start menu, but then the subfolders just say "(empty)", instead of listing the contents.

Any further suggestions would be very helpful as I'm pretty sure I still have a virus/trojan given the "hidden" start menu among other items...

Thanks again!!

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:30 AM

Posted 28 June 2011 - 04:45 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    %Temp%\smtmp /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 sabatweeny

sabatweeny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 05 July 2011 - 04:01 PM

hello again,

here is the log from the 64 bit version. can you please tell me what this program tells you? thanks.

64 BIT LOG FILE:
SystemLook 04.09.10 by jpshortstuff
Log created at 16:56 on 05/07/2011 by Tates
Administrator - Elevation successful

========== dir ==========

C:\Users\Tates\AppData\Local\Temp\smtmp - Parameters: "/s"

---Files---
None found.

C:\Users\Tates\AppData\Local\Temp\smtmp\1 d------ [14:18 06/06/2011]
Adobe Stock Photos.lnk ------- 2049 bytes [06:24 25/07/2010] [06:24 25/07/2010]
Default Programs.lnk ------- 1282 bytes [05:01 14/07/2009] [05:01 14/07/2009]
desktop.ini --ahs-- 442 bytes [04:49 14/07/2009] [05:01 14/07/2009]
Windows Update.lnk ------- 1266 bytes [04:49 14/07/2009] [04:49 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs d------ [14:18 06/06/2011]
Acrobat Distiller 7.0.lnk --a---- 2459 bytes [05:53 25/07/2010] [05:53 25/07/2010]
Adobe Acrobat 7.0 Professional.lnk --a---- 2447 bytes [05:53 25/07/2010] [16:30 25/07/2010]
Adobe Bridge.lnk --a---- 2083 bytes [06:24 25/07/2010] [06:24 25/07/2010]
Adobe Help Center.lnk --a---- 2087 bytes [04:05 23/07/2010] [04:05 23/07/2010]
Adobe ImageReady CS2.lnk --a---- 2044 bytes [04:03 23/07/2010] [04:03 23/07/2010]
Adobe Photoshop CS2.lnk --a---- 2047 bytes [04:03 23/07/2010] [04:03 23/07/2010]
Adobe Reader 9.lnk --a---- 2441 bytes [22:08 09/10/2010] [16:59 10/05/2011]
Apple Software Update.lnk --a---- 2519 bytes [00:44 26/07/2010] [00:44 26/07/2010]
Dell Help Documentation.lnk --a---- 1975 bytes [00:54 22/07/2010] [00:54 22/07/2010]
desktop.ini --ahs-- 1748 bytes [04:54 14/07/2009] [01:16 30/03/2011]
Media Center.lnk --a---- 1345 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Opera.lnk --a---- 1843 bytes [22:06 18/04/2011] [22:06 18/04/2011]
PowerDVD DX.lnk --a---- 2084 bytes [15:06 14/07/2010] [15:06 14/07/2010]
Sidebar.lnk --a---- 1330 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Windows Anytime Upgrade.lnk --a---- 1352 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Windows DVD Maker.lnk --a---- 1326 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Windows Fax and Scan.lnk --a---- 1210 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Windows Live Mail.lnk --a---- 1460 bytes [02:42 22/10/2010] [01:15 30/03/2011]
Windows Live Messenger.lnk --a---- 2488 bytes [02:41 22/10/2010] [01:15 30/03/2011]
Windows Live Movie Maker.lnk --a---- 1307 bytes [02:42 22/10/2010] [01:15 30/03/2011]
Windows Live Photo Gallery.lnk --a---- 1376 bytes [02:42 22/10/2010] [01:16 30/03/2011]
Windows Media Player.lnk --a---- 1547 bytes [04:57 14/07/2009] [05:09 14/07/2009]
XPS Viewer.lnk --a---- 1246 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Accessories d------ [14:18 06/06/2011]
Calculator.lnk --a---- 1230 bytes [04:55 14/07/2009] [04:55 14/07/2009]
Desktop.ini --ahs-- 1876 bytes [02:36 14/07/2009] [15:01 14/07/2010]
displayswitch.lnk --a---- 1266 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Math Input Panel.lnk --a---- 1364 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Mobility Center.lnk --a---- 1238 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Paint.lnk --a---- 1242 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Remote Desktop Connection.lnk --a---- 1367 bytes [04:53 14/07/2009] [04:53 14/07/2009]
Snipping Tool.lnk --a---- 1272 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Sound Recorder.lnk --a---- 1330 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Sticky Notes.lnk --a---- 1351 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Sync Center.lnk --a---- 1254 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Welcome Center.lnk --a---- 1579 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Wordpad.lnk --a---- 1322 bytes [04:54 14/07/2009] [04:54 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility d------ [14:18 06/06/2011]
Desktop.ini --ahs-- 370 bytes [02:36 14/07/2009] [04:57 14/07/2009]
Speech Recognition.lnk --a---- 1388 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools d------ [14:18 06/06/2011]
Character Map.lnk --a---- 1248 bytes [04:55 14/07/2009] [04:55 14/07/2009]
Desktop.ini --ahs-- 1338 bytes [02:36 14/07/2009] [04:57 14/07/2009]
dfrgui.lnk --a---- 1290 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Disk Cleanup.lnk --a---- 1252 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Resource Monitor.lnk --a---- 1242 bytes [04:53 14/07/2009] [04:53 14/07/2009]
System Information.lnk --a---- 1250 bytes [04:53 14/07/2009] [04:53 14/07/2009]
System Restore.lnk --a---- 1246 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Task Scheduler.lnk --a---- 1268 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Windows Easy Transfer Reports.lnk --a---- 1320 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Windows Easy Transfer.lnk --a---- 1316 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Accessories\Tablet PC d------ [14:18 06/06/2011]
Desktop.ini --ahs-- 343 bytes [07:44 14/07/2009] [16:52 14/07/2010]
ShapeCollector.lnk --a---- 1436 bytes [16:51 14/07/2010] [16:51 14/07/2010]
TabTip.lnk --a---- 1386 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Windows Journal.lnk --a---- 1316 bytes [16:52 14/07/2010] [16:52 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell d------ [14:18 06/06/2011]
desktop.ini --ahs-- 216 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Windows PowerShell (x86).lnk --a---- 1989 bytes [05:32 14/07/2009] [05:32 14/07/2009]
Windows PowerShell ISE (x86).lnk --a---- 1468 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Windows PowerShell ISE.lnk --a---- 1468 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Windows PowerShell.lnk --a---- 1899 bytes [05:32 14/07/2009] [05:32 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\ACP Diabetes Care Guide d------ [14:18 06/06/2011]
ACP Diabetes Care Guide.lnk --a---- 2241 bytes [02:04 26/07/2010] [02:04 26/07/2010]
Uninstall.lnk --a---- 860 bytes [02:04 26/07/2010] [02:04 26/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools d------ [14:18 06/06/2011]
Component Services.lnk --a---- 1242 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Computer Management.lnk --a---- 1294 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Data Sources (ODBC).lnk --a---- 1270 bytes [04:53 14/07/2009] [04:53 14/07/2009]
desktop.ini --ahs-- 1674 bytes [04:53 14/07/2009] [04:57 14/07/2009]
Event Viewer.lnk --a---- 1298 bytes [04:54 14/07/2009] [04:54 14/07/2009]
iSCSI Initiator.lnk --a---- 1274 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Memory Diagnostics Tool.lnk --a---- 1268 bytes [04:53 14/07/2009] [04:53 14/07/2009]
Performance Monitor.lnk --a---- 1232 bytes [04:53 14/07/2009] [04:53 14/07/2009]
services.lnk --a---- 1288 bytes [04:54 14/07/2009] [04:54 14/07/2009]
System Configuration.lnk --a---- 1246 bytes [04:53 14/07/2009] [04:53 14/07/2009]
Task Scheduler.lnk --a---- 1262 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Windows Firewall with Advanced Security.lnk --a---- 1274 bytes [04:53 14/07/2009] [04:53 14/07/2009]
Windows PowerShell Modules.lnk --a---- 2741 bytes [05:32 14/07/2009] [05:32 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Adobe d------ [14:18 06/06/2011]
ExtendScript Toolkit.lnk --a---- 2295 bytes [04:03 23/07/2010] [06:24 25/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\BlackBerry d------ [14:18 06/06/2011]
BlackBerry Desktop Software.lnk --a---- 2251 bytes [02:11 25/08/2010] [01:29 17/12/2010]
Readme.lnk --a---- 2242 bytes [02:11 25/08/2010] [01:29 17/12/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Catalyst Control Center d------ [14:18 06/06/2011]
CCC - Advanced.lnk --a---- 2094 bytes [14:58 14/07/2010] [14:58 14/07/2010]
CCC - Wizard.lnk --a---- 2088 bytes [14:58 14/07/2010] [14:58 14/07/2010]
CCC.lnk --a---- 2082 bytes [14:58 14/07/2010] [14:58 14/07/2010]
Help.lnk --a---- 2096 bytes [14:58 14/07/2010] [14:58 14/07/2010]
Restart Runtime.lnk --a---- 2078 bytes [14:58 14/07/2010] [14:58 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Coupons d------ [14:18 06/06/2011]
Coupons.com - Print Coupons.lnk --a---- 1917 bytes [13:01 12/05/2011] [13:01 12/05/2011]
Uninstall Coupon Printer for Windows.lnk --a---- 2069 bytes [13:02 12/05/2011] [13:02 12/05/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\CutePDF d------ [14:18 06/06/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\CutePDF\PDF Writer d------ [14:18 06/06/2011]
Readme.lnk --a---- 1163 bytes [01:10 03/02/2011] [01:10 03/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Dell d------ [14:18 06/06/2011]
Dell Dock.lnk --a---- 1012 bytes [15:24 14/07/2010] [15:24 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Dell\Dell Software & Utilities d------ [14:18 06/06/2011]
Dell Getting Started Guide.lnk --a---- 1137 bytes [15:25 14/07/2010] [15:25 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Dell DataSafe d------ [14:18 06/06/2011]
Dell DataSafe Local Backup.lnk --a---- 1862 bytes [15:04 14/07/2010] [15:04 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Dell Support Center d------ [14:18 06/06/2011]
Dell Support Center.lnk --a---- 1056 bytes [02:26 26/05/2011] [02:26 26/05/2011]
desktop.ini --ahs-- 143 bytes [02:26 26/05/2011] [02:26 26/05/2011]
PC Checkup.lnk --a---- 1116 bytes [02:26 26/05/2011] [02:26 26/05/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Dell Webcam d------ [14:18 06/06/2011]
Dell Webcam Central.lnk --a---- 2201 bytes [15:11 14/07/2010] [15:11 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Dell Webcam\Live! Cam Avatar Creator d------ [14:18 06/06/2011]
License Agreement.lnk --a---- 2222 bytes [15:12 14/07/2010] [15:12 14/07/2010]
Live! Cam Avatar Creator Help.lnk --a---- 2412 bytes [15:12 14/07/2010] [15:12 14/07/2010]
Live! Cam Avatar Creator.lnk --a---- 2398 bytes [15:12 14/07/2010] [15:12 14/07/2010]
Read Me.lnk --a---- 2215 bytes [15:12 14/07/2010] [15:12 14/07/2010]
Uninstall Live! Cam Avatar Creator.lnk --a---- 2635 bytes [15:12 14/07/2010] [15:12 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\EndNote d------ [14:18 06/06/2011]
Configure EndNote.lnk --a---- 2535 bytes [03:41 05/11/2010] [03:41 05/11/2010]
EndNote Help.lnk --a---- 2541 bytes [03:41 05/11/2010] [03:41 05/11/2010]
EndNote Program.lnk --a---- 2535 bytes [03:41 05/11/2010] [03:41 05/11/2010]
Getting Started Guide.lnk --a---- 2541 bytes [03:41 05/11/2010] [03:41 05/11/2010]
Update EndNote.lnk --a---- 2535 bytes [03:41 05/11/2010] [03:41 05/11/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\EPSON d------ [14:18 06/06/2011]
Artisan 710 Network Setup.lnk --a---- 2136 bytes [16:59 12/02/2011] [16:59 12/02/2011]
Shared printers monitor setting window.lnk --a---- 1213 bytes [16:58 12/02/2011] [16:58 12/02/2011]
Uninstall Artisan 710 Network Setup.lnk --a---- 2431 bytes [16:59 12/02/2011] [16:59 12/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\EPSON\Artisan 710 Info Center d------ [14:18 06/06/2011]
Artisan 710 Info Center Uninstaller.lnk --a---- 1239 bytes [17:02 12/02/2011] [17:02 12/02/2011]
Artisan 710 Info Center.lnk --a---- 1191 bytes [17:02 12/02/2011] [17:02 12/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\EPSON\EPSON Scan d------ [14:18 06/06/2011]
EPSON Scan Settings.lnk --a---- 949 bytes [17:37 12/02/2011] [17:37 12/02/2011]
EPSON Scan.lnk --a---- 956 bytes [17:37 12/02/2011] [17:37 12/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Epson Software d------ [14:18 06/06/2011]
Event Manager.lnk --a---- 2093 bytes [16:58 12/02/2011] [16:58 12/02/2011]
Print CD.lnk --a---- 872 bytes [17:01 12/02/2011] [17:01 12/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Epson Software\Read Me d------ [14:18 06/06/2011]
Print CD.lnk --a---- 874 bytes [17:01 12/02/2011] [17:01 12/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Fotobounce d------ [14:18 06/06/2011]
FAQ.lnk --a---- 1959 bytes [08:59 01/11/2010] [08:59 01/11/2010]
Fotobounce.lnk --a---- 907 bytes [08:59 01/11/2010] [08:59 01/11/2010]
Getting Started.lnk --a---- 2023 bytes [08:59 01/11/2010] [08:59 01/11/2010]
Uninstall Fotobounce.lnk --a---- 1810 bytes [08:59 01/11/2010] [08:59 01/11/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Games d------ [14:18 06/06/2011]
Chess.lnk --a---- 352 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Desktop.ini --ahs-- 1128 bytes [05:32 14/07/2009] [16:52 14/07/2010]
FreeCell.lnk --a---- 364 bytes [04:55 14/07/2009] [04:55 14/07/2009]
GameExplorer.lnk --a---- 258 bytes [04:54 14/07/2009] [04:54 14/07/2009]
Hearts.lnk --a---- 356 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Internet Backgammon.lnk --a---- 474 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Internet Checkers.lnk --a---- 470 bytes [16:52 14/07/2010] [16:52 14/07/2010]
Internet Spades.lnk --a---- 466 bytes [16:51 14/07/2010] [16:51 14/07/2010]
Mahjong.lnk --a---- 360 bytes [16:52 14/07/2010] [16:52 14/07/2010]
Minesweeper.lnk --a---- 376 bytes [04:57 14/07/2009] [04:57 14/07/2009]
More Games from Microsoft.lnk --a---- 370 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Purble Place.lnk --a---- 378 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Solitaire.lnk --a---- 368 bytes [04:55 14/07/2009] [04:55 14/07/2009]
Spider Solitaire.lnk --a---- 392 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Intel PROSet Wireless d------ [14:18 06/06/2011]
Intel My WiFi Technology.lnk --a---- 2110 bytes [15:01 14/07/2010] [15:01 14/07/2010]
WiFi Advanced Statistics.lnk --a---- 2418 bytes [15:01 14/07/2010] [15:01 14/07/2010]
WiFi Event Viewer.lnk --a---- 2442 bytes [15:01 14/07/2010] [15:01 14/07/2010]
WiFi Manual Diagnostics.lnk --a---- 2482 bytes [15:01 14/07/2010] [15:01 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Maintenance d------ [14:18 06/06/2011]
Backup and Restore Center.lnk --a---- 1304 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Create Recovery Disc.lnk --a---- 1248 bytes [04:57 14/07/2009] [04:57 14/07/2009]
Desktop.ini --ahs-- 606 bytes [02:36 14/07/2009] [04:57 14/07/2009]
Remote Assistance.lnk --a---- 1212 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware d------ [14:18 06/06/2011]
Malwarebytes' Anti-Malware Help.lnk --a---- 1129 bytes [01:32 16/10/2010] [18:33 06/02/2011]
Malwarebytes' Anti-Malware.lnk --a---- 1129 bytes [01:32 16/10/2010] [18:33 06/02/2011]
Uninstall Malwarebytes' Anti-Malware.lnk --a---- 1153 bytes [01:32 16/10/2010] [18:33 06/02/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\McAfee d------ [14:18 06/06/2011]
McAfee Security Center.lnk --a---- 1848 bytes [13:01 06/06/2011] [13:01 06/06/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office d------ [14:18 06/06/2011]
Microsoft Office Excel 2007.lnk --a---- 2655 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Office OneNote 2007.lnk --a---- 2619 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Office PowerPoint 2007.lnk --a---- 2645 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Office Word 2007.lnk --a---- 2693 bytes [03:09 09/08/2010] [03:09 09/08/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools d------ [14:18 06/06/2011]
Digital Certificate for VBA Projects.lnk --a---- 2647 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Clip Organizer.lnk --a---- 2627 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Office 2007 Language Settings.lnk --a---- 2527 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Office Diagnostics.lnk --a---- 2625 bytes [03:09 09/08/2010] [03:09 09/08/2010]
Microsoft Office Picture Manager.lnk --a---- 2605 bytes [03:09 09/08/2010] [03:09 09/08/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Microsoft Silverlight d------ [14:18 06/06/2011]
Microsoft Silverlight.lnk --a---- 2269 bytes [23:20 26/07/2010] [07:01 21/04/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\MKSAP 14 d------ [14:18 06/06/2011]
MKSAP 14.lnk --a---- 2014 bytes [00:32 26/07/2010] [00:32 26/07/2010]
Uninstall.lnk --a---- 798 bytes [00:32 26/07/2010] [00:32 26/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\QuickTime d------ [14:18 06/06/2011]
About QuickTime.lnk --a---- 2441 bytes [18:10 31/01/2011] [18:10 31/01/2011]
PictureViewer.lnk --a---- 2471 bytes [18:10 31/01/2011] [18:10 31/01/2011]
QuickTime Player.lnk --a---- 2441 bytes [18:10 31/01/2011] [18:10 31/01/2011]
Uninstall QuickTime.lnk --a---- 1818 bytes [18:10 31/01/2011] [18:10 31/01/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Roxio d------ [14:18 06/06/2011]
Roxio Burn.lnk --a---- 1027 bytes [15:20 14/07/2010] [15:20 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Roxio Easy CD & DVD Burning d------ [14:18 06/06/2011]
BackOnTrack Home.lnk --a---- 2133 bytes [15:20 14/07/2010] [15:20 14/07/2010]
Roxio Easy CD & DVD Burning.lnk --a---- 2250 bytes [15:17 14/07/2010] [15:17 14/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Shutterfly d------ [14:18 06/06/2011]
Shutterfly Express Uploader.lnk --a---- 1204 bytes [20:10 05/09/2010] [20:10 05/09/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Startup d------ [14:18 06/06/2011]
Bluetooth.lnk --a---- 834 bytes [15:00 14/07/2010] [15:00 14/07/2010]
desktop.ini --ahs-- 174 bytes [04:54 14/07/2009] [04:54 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Stedman's d------ [14:18 06/06/2011]
ACC Images.lnk --a---- 961 bytes [04:22 25/07/2010] [04:22 25/07/2010]
Stedman's Medical Dictionary 6.0.lnk --a---- 939 bytes [04:22 25/07/2010] [04:22 25/07/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\SUPERAntiSpyware d------ [14:18 06/06/2011]
SUPERAntiSpyware Alternate Start.lnk --a---- 1589 bytes [02:31 12/08/2010] [02:31 12/08/2010]
SUPERAntiSpyware Free Edition.lnk --a---- 1661 bytes [02:31 12/08/2010] [02:31 12/08/2010]
SUPERAntiSpyware Help.lnk --a---- 785 bytes [02:31 12/08/2010] [02:31 12/08/2010]
SUPERAntiSpyware Registration-Activation.lnk --a---- 1683 bytes [02:31 12/08/2010] [02:31 12/08/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Tablet PC d------ [14:18 06/06/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\Windows Live d------ [14:18 06/06/2011]
desktop.ini --ahs-- 95 bytes [02:43 22/10/2010] [01:16 30/03/2011]
Windows Live Writer.lnk --a---- 2350 bytes [02:43 22/10/2010] [01:16 30/03/2011]

C:\Users\Tates\AppData\Local\Temp\smtmp\1\Programs\WinRAR d------ [14:18 06/06/2011]
Console RAR manual.lnk --a---- 1006 bytes [01:08 16/09/2010] [01:08 16/09/2010]
WinRAR help.lnk --a---- 1025 bytes [01:08 16/09/2010] [01:08 16/09/2010]
WinRAR.lnk --a---- 1025 bytes [01:08 16/09/2010] [01:08 16/09/2010]

C:\Users\Tates\AppData\Local\Temp\smtmp\3 d------ [14:18 06/06/2011]
desktop.ini --ahs-- 211 bytes [01:09 22/07/2010] [09:57 19/02/2011]
Internet Explorer.lnk ------- 1445 bytes [01:09 22/07/2010] [01:09 22/07/2010]
Malwarebytes' Anti-Malware.lnk ------- 1029 bytes [03:52 16/10/2010] [01:32 16/10/2010]
Photoshop CS2.lnk ------- 1696 bytes [14:42 07/08/2010] [06:18 25/07/2010]
SUPERAntiSpyware Free Edition.lnk ------- 1661 bytes [03:51 16/10/2010] [02:31 12/08/2010]
Windows Explorer.lnk ------- 1228 bytes [09:57 19/02/2011] [04:49 14/07/2009]
Windows Media Player.lnk ------- 1547 bytes [03:40 12/08/2010] [05:09 14/07/2009]

C:\Users\Tates\AppData\Local\Temp\smtmp\4 d------ [14:18 06/06/2011]
BlackBerry Desktop Software.lnk ------- 2233 bytes [02:11 25/08/2010] [01:29 17/12/2010]
desktop.ini --ahs-- 174 bytes [04:54 14/07/2009] [04:54 14/07/2009]
fotobounce.lnk ------- 889 bytes [08:59 01/11/2010] [08:59 01/11/2010]
Shutterfly Express Uploader.lnk ------- 1186 bytes [20:10 05/09/2010] [20:10 05/09/2010]

-= EOF =-

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:30 AM

Posted 05 July 2011 - 04:09 PM

System Look is nothing more than just enhanced search program.
The infection you had moved all links from appropriate folders to C:\Users\Tates\AppData\Local\Temp\smtmp folder.
I was checking if those "backups" are there and luckily...they're :)

There is a new version of UnHide, so let's try it again.
Let's see, if we can recover your missing features.
Download and run UnHide

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 sabatweeny

sabatweeny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 July 2011 - 12:59 PM

That's weird... it didn't work right away, even after I re-booted my computer multiple times. But today, however, it is working and I can see all my files including those in the start menu. When you said eveyrhting was moved to the smtmp folder... do I need to move anything back? Or is that what unhide did?

Anyway, thanks for all your amazing help. I would like to provide a donation but could you please advise me what would be an appropriate amount? That would be very helpful for me and I hope you are "allowed" to answer this.

THanks again!

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:30 AM

Posted 18 July 2011 - 01:11 PM

You're welcome :)

Or is that what unhide did?

Exactly.

Let's run couple more scans just to make sure....

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 sabatweeny

sabatweeny
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 August 2011 - 09:26 PM

WOW! You were right.... computer was still infected. I have been updating mcafee antivirus, super anti-spyware, and malware anti-malware religiously since I first asked for your help and they didn't find anything. But, I ran ESET like you said and that program found 2 more viruses. AND... they were from Dell Local Backup believe it or not. Needless to say, ESET removed them and I deleted the entire program. But it looks like there are still "errors" that your new programs found. I will post the logs below. What do you think? And please do tell me what would be an appropriate donation amount... please! :-)

**********
MiniToolBox by Farbar
Ran by Tates (administrator) on 02-08-2011 at 18:35:12
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : TheBee
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : westell.com

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : 00-23-14-D2-5F-B5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : 00-23-14-D2-5F-B5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : westell.com
Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6200 AGN
Physical Address. . . . . . . . . : 00-23-14-D2-5F-B4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d9f:ea0e:971a:173f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.39(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, August 01, 2011 3:47:31 PM
Lease Expires . . . . . . . . . . : Wednesday, August 03, 2011 5:47:21 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 218112788
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-CF-A2-C8-00-26-B9-EB-52-AE
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 50-63-13-96-BF-94
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-26-B9-EB-52-AE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.westell.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : westell.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{FD9B6594-4C8D-42A5-8919-101E8C546B92}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{4C553CD3-4B74-4C60-A2A9-4C0CD019B2CA}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{8A1929CE-78BF-4C15-A96B-CA433DA383FC}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:437:3dcc:52c4:beee(Preferred)
Link-local IPv6 Address . . . . . : fe80::437:3dcc:52c4:beee%16(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{F4880EC2-6852-4DF6-86FD-9FB79FACCE0D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: dslrouter.westell.com
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.91.147
74.125.91.99
74.125.91.106
74.125.91.103
74.125.91.105
74.125.91.104


Pinging google.com [74.125.91.104] with 32 bytes of data:
Request timed out.
Reply from 74.125.91.104: bytes=32 time=42ms TTL=53

Ping statistics for 74.125.91.104:
Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 42ms, Maximum = 42ms, Average = 42ms
Server: dslrouter.westell.com
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65


Pinging yahoo.com [69.147.125.65] with 32 bytes of data:
Reply from 69.147.125.65: bytes=32 time=34ms TTL=54
Reply from 69.147.125.65: bytes=32 time=34ms TTL=54

Ping statistics for 69.147.125.65:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 34ms, Average = 34ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
===========================================================================
Interface List
15...00 23 14 d2 5f b5 ......Microsoft Virtual WiFi Miniport Adapter #2
14...00 23 14 d2 5f b5 ......Microsoft Virtual WiFi Miniport Adapter
13...00 23 14 d2 5f b4 ......Intel® Centrino® Advanced-N 6200 AGN
11...50 63 13 96 bf 94 ......Bluetooth Device (Personal Area Network)
10...00 26 b9 eb 52 ae ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.39 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.39 286
192.168.1.39 255.255.255.255 On-link 192.168.1.39 286
192.168.1.255 255.255.255.255 On-link 192.168.1.39 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.39 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.39 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 58 ::/0 On-link
1 306 ::1/128 On-link
16 58 2001::/32 On-link
16 306 2001:0:4137:9e76:437:3dcc:52c4:beee/128
On-link
13 286 fe80::/64 On-link
16 306 fe80::/64 On-link
16 306 fe80::437:3dcc:52c4:beee/128
On-link
13 286 fe80::5d9f:ea0e:971a:173f/128
On-link
1 306 ff00::/8 On-link
16 306 ff00::/8 On-link
13 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/02/2011 03:55:09 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (08/02/2011 01:49:23 AM) (Source: Application Error) (User: )
Description: Faulting application name: mcagent.exe, version: 10.5.237.0, time stamp: 0x4d9b3584
Faulting module name: mcupdshm.dll, version: 10.5.177.0, time stamp: 0x4bcccd5d
Exception code: 0xc0000005
Fault offset: 0x00000000000086a4
Faulting process id: 0x1410
Faulting application start time: 0xmcagent.exe0
Faulting application path: mcagent.exe1
Faulting module path: mcagent.exe2
Report Id: mcagent.exe3

Error: (08/01/2011 03:47:40 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/31/2011 05:15:02 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/30/2011 05:14:46 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/29/2011 05:14:29 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/28/2011 03:12:35 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/27/2011 03:12:19 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/26/2011 03:12:14 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (07/26/2011 00:28:22 AM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16421, time stamp: 0x4d76255d
Faulting module name: Multimedia.api, version: 9.4.5.236, time stamp: 0x4dee7e8c
Exception code: 0x40000015
Fault offset: 0x0003bae8
Faulting process id: 0x1424
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3


System errors:
=============
Error: (08/02/2011 03:55:08 PM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (08/02/2011 01:55:28 PM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (08/02/2011 03:11:25 AM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (08/02/2011 01:14:06 AM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (08/01/2011 05:14:05 PM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (08/01/2011 03:47:25 PM) (Source: Service Control Manager) (User: )
Description: The SessionLauncher service failed to start due to the following error:
%%2

Error: (07/31/2011 11:44:21 PM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (07/31/2011 10:00:34 PM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (07/31/2011 11:43:21 AM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (07/31/2011 09:22:10 AM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.


Microsoft Office Sessions:
=========================
Error: (04/09/2011 04:20:39 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2145 seconds with 540 seconds of active time. This session ended with a crash.


========================= Memory info: ===================================

Percentage of memory in use: 50%
Total physical RAM: 4084.51 MB
Available physical RAM: 2005.86 MB
Total Pagefile: 8167.22 MB
Available Pagefile: 5096.79 MB
Total Virtual: 4095.88 MB
Available Virtual: 3966.41 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:265.43 GB) NTFS

========================= Users: ========================================

User accounts for \\THEBEE

Administrator Guest Tates


== End of log ==





*****************
Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee Security Center
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java Web Start
Java™ 6 Update 20
Java 2 Runtime Environment, SE v1.4.1_02
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.4.5
Japanese Fonts Support For Adobe Reader 9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````




***************
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined



MANY THANKS FOR YOUR CONTINUED ASSISTANCE!!

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:30 AM

Posted 02 August 2011 - 09:29 PM

You're very welcome :)

Those Eset findings are not a big deal, because there were not active, but good we checked.

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

======================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

=================================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users