Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: C0000135 The program can't start because %hs is missing. Try resintalling the program


  • This topic is locked This topic is locked
16 replies to this topic

#1 quiksilvermp3

quiksilvermp3

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 13 April 2012 - 02:23 PM

Good Afternoon,

I have another student computer displaying the above stop code. The computer had been booting fine until the last restart I did now it will not boot to the desktop just to the blue screen with the above stop code. It had been infected by a virus that displayed multiple fake systems messages but I thought I had got rid of everything by using MalwareBytes and Microsoft Security Essentials. This student had been running without virus protection for who knows how long.

FRST log is attached

Attached Files

  • Attached File  FRST.txt   35.15KB   7 downloads


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 13 April 2012 - 04:49 PM

Greetings quiksilvermp3 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 14 April 2012 - 03:56 PM

Greetings quiksilvermp3,


Thank you for allowing me some time to review your log. I have provided an initial step for you to take but I must first warn you of the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections [ZeroAccess] is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Panda USB Vaccine

--------------------

From a clean computer, please download and use Panda USB Vaccine.

Alternate download link 1
Alternate download link 2

  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.


===================================================


Farbar's Recovery Scan Tool - Run Fix

--------------------

  • From a clean computer press the windows key Posted Image + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

    HKLM-x32\...\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
    C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
    HKLM-x32\...\Run: [daDyaeJQgtiFQ.exe] C:\ProgramData\daDyaeJQgtiFQ.exe [324096 2012-04-13] ( )
    2012-04-13 08:14 - 2012-04-13 08:12 - 0324096 ___AH ( ) C:\Users\All Users\daDyaeJQgtiFQ.exe
    2012-04-13 08:14 - 2012-04-13 08:12 - 0324096 ___AH ( ) C:\ProgramData\daDyaeJQgtiFQ.exe
    SubSystems: [Windows] ==> ZeroAccess
    TDL4: custom:26000022
    1 mabijnhz; \??\C:\Windows\system32\drivers\mabijnhz.sys [x]
    1 meyfdpjc; \??\C:\Windows\system32\drivers\meyfdpjc.sys [x]
    C:\Windows\system32\drivers\mabijnhz.sys
    C:\Windows\system32\drivers\meyfdpjc.sys
    2012-04-12 12:02 - 2012-04-13 05:41 - 0000342 ___AH C:\Windows\Tasks\At48.job
    2012-04-12 12:02 - 2012-04-13 05:41 - 0000342 ___AH C:\Windows\Tasks\At47.job
    2012-04-12 12:02 - 2012-04-12 17:04 - 0000342 ___AH C:\Windows\Tasks\At46.job
    2012-04-12 12:02 - 2012-04-12 17:04 - 0000342 ___AH C:\Windows\Tasks\At45.job
    2012-04-12 12:01 - 2012-04-13 10:05 - 0000342 ___AH C:\Windows\Tasks\At39.job
    2012-04-12 12:01 - 2012-04-13 10:05 - 0000340 ___AH C:\Windows\Tasks\At15.job
    2012-04-12 12:01 - 2012-04-13 09:00 - 0000342 ___AH C:\Windows\Tasks\At38.job
    2012-04-12 12:01 - 2012-04-13 09:00 - 0000340 ___AH C:\Windows\Tasks\At14.job
    2012-04-12 12:01 - 2012-04-13 08:00 - 0000342 ___AH C:\Windows\Tasks\At37.job
    2012-04-12 12:01 - 2012-04-13 08:00 - 0000340 ___AH C:\Windows\Tasks\At13.job
    2012-04-12 12:01 - 2012-04-13 07:00 - 0000342 ___AH C:\Windows\Tasks\At36.job
    2012-04-12 12:01 - 2012-04-13 07:00 - 0000340 ___AH C:\Windows\Tasks\At12.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At41.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At40.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At34.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At33.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At32.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At31.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At30.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000342 ___AH C:\Windows\Tasks\At29.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At9.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At8.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At7.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At6.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At5.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At17.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At16.job
    2012-04-12 12:01 - 2012-04-13 06:53 - 0000340 ___AH C:\Windows\Tasks\At10.job
    2012-04-12 12:01 - 2012-04-13 06:00 - 0000342 ___AH C:\Windows\Tasks\At35.job
    2012-04-12 12:01 - 2012-04-13 06:00 - 0000340 ___AH C:\Windows\Tasks\At11.job
    2012-04-12 12:01 - 2012-04-13 05:42 - 0000340 ___AH C:\Windows\Tasks\At24.job
    2012-04-12 12:01 - 2012-04-13 05:42 - 0000340 ___AH C:\Windows\Tasks\At23.job
    2012-04-12 12:01 - 2012-04-13 05:42 - 0000340 ___AH C:\Windows\Tasks\At2.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000342 ___AH C:\Windows\Tasks\At28.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000342 ___AH C:\Windows\Tasks\At27.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000342 ___AH C:\Windows\Tasks\At26.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000342 ___AH C:\Windows\Tasks\At25.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000340 ___AH C:\Windows\Tasks\At4.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000340 ___AH C:\Windows\Tasks\At3.job
    2012-04-12 12:01 - 2012-04-13 05:41 - 0000340 ___AH C:\Windows\Tasks\At1.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000342 ___AH C:\Windows\Tasks\At44.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000342 ___AH C:\Windows\Tasks\At43.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000342 ___AH C:\Windows\Tasks\At42.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000340 ___AH C:\Windows\Tasks\At22.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000340 ___AH C:\Windows\Tasks\At21.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000340 ___AH C:\Windows\Tasks\At20.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000340 ___AH C:\Windows\Tasks\At19.job
    2012-04-12 12:01 - 2012-04-12 17:04 - 0000340 ___AH C:\Windows\Tasks\At18.job
    2012-04-12 11:12 - 2012-04-12 11:37 - 0000168 ___AH C:\Users\All Users\-1QkVFHM9vBp405r
    2012-04-12 11:12 - 2012-04-12 11:37 - 0000168 ___AH C:\ProgramData\-1QkVFHM9vBp405r
    2012-04-12 11:12 - 2012-04-12 11:37 - 0000000 ___AH C:\Users\All Users\-1QkVFHM9vBp405
    2012-04-12 11:12 - 2012-04-12 11:37 - 0000000 ___AH C:\ProgramData\-1QkVFHM9vBp405
    2012-04-12 11:12 - 2012-04-12 11:35 - 0000256 ___AH C:\Users\All Users\1QkVFHM9vBp405
    2012-04-12 11:12 - 2012-04-12 11:35 - 0000256 ___AH C:\ProgramData\1QkVFHM9vBp405
    2012-04-09 08:35 - 2012-04-09 08:35 - 0000000 ___HD C:\Users\All Users\B7E85B3E000435DB000423F3B4EB2367
    2012-04-09 08:35 - 2012-04-09 08:35 - 0000000 ___HD C:\ProgramData\B7E85B3E000435DB000423F3B4EB2367
    
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Fixlog.txt
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 quiksilvermp3

quiksilvermp3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 16 April 2012 - 09:13 AM

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 29-02-2012 01
Ran by SYSTEM at 2012-04-16 10:05:25 R:2
Running from D:\

==============================================

HKLM-x32\\\.\.\.\\Run\\dplaysvr Value deleted successfully.
C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe not found.
HKLM-x32\\\.\.\.\\Run\\daDyaeJQgtiFQ.exe Value deleted successfully.
C:\Users\All Users\daDyaeJQgtiFQ.exe moved successfully.
C:\ProgramData\daDyaeJQgtiFQ.exe not found.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

The operation completed successfully.
The operation completed successfully.
mabijnhz service deleted successfully.
meyfdpjc service deleted successfully.
C:\Windows\system32\drivers\mabijnhz.sys not found.
C:\Windows\system32\drivers\meyfdpjc.sys not found.
C:\Windows\Tasks\At48.job moved successfully.
C:\Windows\Tasks\At47.job moved successfully.
C:\Windows\Tasks\At46.job moved successfully.
C:\Windows\Tasks\At45.job moved successfully.
C:\Windows\Tasks\At39.job moved successfully.
C:\Windows\Tasks\At15.job moved successfully.
C:\Windows\Tasks\At38.job moved successfully.
C:\Windows\Tasks\At14.job moved successfully.
C:\Windows\Tasks\At37.job moved successfully.
C:\Windows\Tasks\At13.job moved successfully.
C:\Windows\Tasks\At36.job moved successfully.
C:\Windows\Tasks\At12.job moved successfully.
C:\Windows\Tasks\At41.job moved successfully.
C:\Windows\Tasks\At40.job moved successfully.
C:\Windows\Tasks\At34.job moved successfully.
C:\Windows\Tasks\At33.job moved successfully.
C:\Windows\Tasks\At32.job moved successfully.
C:\Windows\Tasks\At31.job moved successfully.
C:\Windows\Tasks\At30.job moved successfully.
C:\Windows\Tasks\At29.job moved successfully.
C:\Windows\Tasks\At9.job moved successfully.
C:\Windows\Tasks\At8.job moved successfully.
C:\Windows\Tasks\At7.job moved successfully.
C:\Windows\Tasks\At6.job moved successfully.
C:\Windows\Tasks\At5.job moved successfully.
C:\Windows\Tasks\At17.job moved successfully.
C:\Windows\Tasks\At16.job moved successfully.
C:\Windows\Tasks\At10.job moved successfully.
C:\Windows\Tasks\At35.job moved successfully.
C:\Windows\Tasks\At11.job moved successfully.
C:\Windows\Tasks\At24.job moved successfully.
C:\Windows\Tasks\At23.job moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Windows\Tasks\At28.job moved successfully.
C:\Windows\Tasks\At27.job moved successfully.
C:\Windows\Tasks\At26.job moved successfully.
C:\Windows\Tasks\At25.job moved successfully.
C:\Windows\Tasks\At4.job moved successfully.
C:\Windows\Tasks\At3.job moved successfully.
C:\Windows\Tasks\At1.job moved successfully.
C:\Windows\Tasks\At44.job moved successfully.
C:\Windows\Tasks\At43.job moved successfully.
C:\Windows\Tasks\At42.job moved successfully.
C:\Windows\Tasks\At22.job moved successfully.
C:\Windows\Tasks\At21.job moved successfully.
C:\Windows\Tasks\At20.job moved successfully.
C:\Windows\Tasks\At19.job moved successfully.
C:\Windows\Tasks\At18.job moved successfully.
C:\Users\All Users\-1QkVFHM9vBp405r moved successfully.
C:\ProgramData\-1QkVFHM9vBp405r not found.
C:\Users\All Users\-1QkVFHM9vBp405 moved successfully.
C:\ProgramData\-1QkVFHM9vBp405 not found.
C:\Users\All Users\1QkVFHM9vBp405 moved successfully.
C:\ProgramData\1QkVFHM9vBp405 not found.
C:\Users\All Users\B7E85B3E000435DB000423F3B4EB2367 moved successfully.
C:\ProgramData\B7E85B3E000435DB000423F3B4EB2367 not found.

==== End of Fixlog ====

Computer is back up and running, booted to the desktop. The start menu is empty and there is nothing on the desktop.

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 16 April 2012 - 01:43 PM

Greetings quiksilvermp3,


Thank you for the information you provided. Looks like we are off to a good start thanks to Farbar and his tools!

It is very important you do not clear out any temporary files. We may need one of those files to attempt to restore things back to normal.

I am going to need you to download a couple of programs. You might have to do it one of two ways if you are unable to access a web browser the normal way. The first is the easiest way and that is to launch Internet Explorer via the Task Manager. If that is not successful I am going to have you download the two programs from a clean computer onto a USB device and then insert that into the infected computer. However, before you would do that we would need to vaccinate the USB device in order to prevent possible cross contamination.

Please perform the following for me, if you would. I will attempt to make this as straightforward as possible.


===================================================


Launching Internet Explorer Using Task Manager

--------------

If this works, then please skip the following steps related to Panda Vaccine and downloading programs to your USB device.

  • Press the Ctrl-Alt-Del keys at the same time to open Task Manager
  • Click File, then select New Task (Run...)
  • Type iexplore in the Run box the press Enter
  • Please test your internet connectivity by trying to access this topic
  • If successful, please skip to the instructions regarding Unhide and SystemLookup
  • If this step is not successful then please follow the next steps

===================================================


Panda USB Vaccine

--------------------

From a clean computer, please download and use Panda USB Vaccine.

Alternate download link 1
Alternate download link 2

  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done

    Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

  • Please download the below programs onto the vaccinated USB device and insert the device into your infected computer.

===================================================


Unhide

--------------------

  • Please download Unhide to your desktop
  • Double click the Posted Image icon
  • Once the program has completed a Windows alert will be displayed stating your files have been restored
  • Please reboot your computer

===================================================


SystemLook by jpshortstuff

--------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:

    :dir
    %Temp%\smtmp /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Was Unhide successful?
  • Results of SystemLook
  • What is the state of the computer now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 quiksilvermp3

quiksilvermp3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 16 April 2012 - 01:52 PM

Unhide was successful.

SystemLook-
SystemLook 30.07.11 by jpshortstuff
Log created at 14:49 on 16/04/2012 by Zech
Administrator - Elevation successful

========== dir ==========

C:\Users\Zech\AppData\Local\Temp\smtmp - Parameters: "/s"

---Files---
None found.

C:\Users\Zech\AppData\Local\Temp\smtmp\1 d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Accessories d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Activ Software d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Activ Software\ActivInspire d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Catalyst Control Center d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Coupons d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\CyberLink DVD Suite d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Energy Star d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\eReaders d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\ffdshow d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Games d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Google Earth d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP\Games d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP\HP Advisor d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP\HP Deskjet 3050A J611 series d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP\HP MediaSmart d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP\HP Photo Creations d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP\Recovery Manager d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HP Netflix d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HTC d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\HTC\HTC Driver d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\iTunes d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Maintenance d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware d------ [15:20 13/04/2012]
Malwarebytes Anti-Malware Help.lnk --a---- 1127 bytes [15:12 13/04/2012] [15:16 13/04/2012]
Malwarebytes Anti-Malware.lnk --a---- 1127 bytes [15:12 13/04/2012] [15:16 13/04/2012]
Uninstall Malwarebytes Anti-Malware.lnk --a---- 1151 bytes [15:12 13/04/2012] [15:16 13/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Tools d------ [15:20 13/04/2012]
Malwarebytes Anti-Malware Chameleon.lnk --a---- 1300 bytes [15:12 13/04/2012] [15:16 13/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office 2010 Tools d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Microsoft Silverlight d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Norton Internet Security d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Norton Online Backup d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Online Bible d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Online Services d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\QuickTime d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Recovery Manager d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Roxio d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Roxio\CinemaNow d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Skype d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Startup d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\1\Programs\Windows Live d------ [19:11 12/04/2012]

C:\Users\Zech\AppData\Local\Temp\smtmp\4 d------ [19:11 12/04/2012]

-= EOF =-

I have all the folders for the programs but nothing is in them. They display as (empty).

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 16 April 2012 - 02:47 PM

Greetings quiksilvermp3,


Very good. Now let's try to repopulate the contents of those folders. I am also going to have you run another program to look for additional malware and provide some detailed system information.

Please perform the following for me, if you would.


===================================================


Restoring Start Menu Folder Contents in Windows Vista/7

--------------------

You may need to take ownership of Explorer in order to compete the tasks below. If so, please see here.

Please set your system to show all files.

  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
----------

Please copy and paste the contents of the following folders, as instructed:

  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\1
  • Paste: C:\Program Data\Start Menu
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\2
  • Paste: C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\3
  • Paste: C:\Users\user-name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\4
  • Paste: C:\Program Data\Desktop
----------

Please set your system to hide all hidden files.

  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.

===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Are the folder contents visible?
  • ComboFix.txt
  • How is the computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 quiksilvermp3

quiksilvermp3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 17 April 2012 - 07:07 AM

I am unable to copy the contents of smtmp to ProgramData\Start Menu. When I try the computer gives me an error of folder is inaccessible and after unhiding system and hidden folders it is not listed. If I try to create a folder name Start Menu in ProgramData the computer asks if I want to merge the two folders. But I still don't see it listed in Windows Explorer.


ComboFix 12-04-16.02 - Zech 04/16/2012 16:13:12.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5883.4030 [GMT -4:00]
Running from: c:\users\Zech\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Zech\Documents\~WRL0003.tmp
c:\users\Zech\Documents\~WRL0004.tmp
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-16 20:30 . 2012-04-16 20:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-16 18:47 . 2012-04-16 18:47 -------- d-----w- c:\programdata\Panda Security
2012-04-16 18:46 . 2012-04-16 18:46 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2012-04-16 17:04 . 2012-03-14 00:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86AAF9B6-25DA-42CA-A5DA-FD8C2F455E32}\mpengine.dll
2012-04-16 16:59 . 2012-04-16 16:59 -------- d-----w- c:\programdata\New folder
2012-04-16 16:48 . 2012-04-16 16:48 -------- d-----w- c:\users\Test
2012-04-16 16:27 . 2012-04-16 16:27 -------- d-----w- c:\windows\Microsoft Antimalware
2012-04-16 15:56 . 2012-03-14 00:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-16 14:15 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-16 14:15 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-16 14:15 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-16 14:11 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-16 14:11 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-16 14:11 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-16 14:11 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-16 14:11 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-16 14:11 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-16 14:11 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-13 23:06 . 2012-04-13 23:07 -------- d-----w- C:\FRST
2012-04-13 16:48 . 2012-04-13 16:47 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DA9EAB0-916B-473B-B6DA-099669A1E8EB}\gapaengine.dll
2012-04-13 16:44 . 2012-04-13 16:44 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-04-13 16:44 . 2012-04-13 16:44 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-13 15:14 . 2012-04-13 15:14 -------- d-----w- c:\users\Zech\AppData\Roaming\Malwarebytes
2012-04-13 15:12 . 2012-04-13 15:12 -------- d-----w- c:\programdata\Malwarebytes
2012-04-13 15:12 . 2012-04-13 15:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-13 15:12 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-09 15:14 . 2012-04-09 15:14 -------- d-----we c:\windows\system64
2012-04-09 15:00 . 2012-04-09 15:01 -------- d-----w- c:\program files (x86)\iTunes
2012-04-09 15:00 . 2012-04-09 15:00 -------- d-----w- c:\program files\iPod
2012-04-09 15:00 . 2012-04-09 15:01 -------- d-----w- c:\program files\iTunes
2012-04-03 22:31 . 2012-04-08 23:09 -------- d-----w- c:\windows\system32\drivers\NISx64\1207010.003
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-03 18:21 . 2011-05-23 01:19 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-17 06:38 . 2012-03-13 19:01 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-13 19:01 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-13 19:01 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-13 19:01 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01 . 2012-02-15 16:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-14 16:09 . 2012-02-14 16:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-10 06:36 . 2012-03-13 19:02 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-13 19:02 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-13 19:02 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-10-22 02:46 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 06:38 . 2012-03-13 19:01 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-13 19:01 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-13 19:01 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-11-05 297808]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 21:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2011-10-23 5013128]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2008-10-20 210208]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17148552]
"Facebook Update"="c:\users\Zech\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-03-11 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-16 98304]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\Zech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Zech\AppData\Local\Facebook\Messenger\2.0.4478.0\FacebookMessenger.exe [2012-4-5 204288]
Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7619\Launcher.exe [2010-10-22 157088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
R2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe [2010-06-29 20480]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files (x86)\StumbleUpon\StumbleUponUpdateService.exe [2011-04-14 103336]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-02-06 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-23 2192176]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-309212640-2724577515-4031678222-1001Core.job
- c:\users\Zech\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-11 04:02]
.
2012-04-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-309212640-2724577515-4031678222-1001UA.job
- c:\users\Zech\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-03-11 04:02]
.
2012-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 18:47]
.
2012-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 18:47]
.
2012-03-20 c:\windows\Tasks\HPCeeScheduleForZech.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-06 487424]
"ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2x64.exe" [2010-12-17 1240944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.146.226.11 192.146.226.40 131.118.254.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{5093EB4C-3E93-40AB-9266-B607BA87BDC8}"=hex:51,66,7a,6c,4c,1d,38,12,22,e8,80,
54,a1,70,c5,05,ed,70,f5,47,bf,d9,f9,dc
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"=hex:51,66,7a,6c,4c,1d,38,12,94,e0,d5,
0f,dd,36,e8,0d,fb,3a,19,52,5d,9a,01,4e
"{145B29F4-A56B-4B90-BBAC-45784EBEBBB7}"=hex:51,66,7a,6c,4c,1d,38,12,9a,2a,48,
10,59,eb,fe,0e,c4,ba,06,38,4b,e0,ff,a3
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:ea,54,bf,67,88,19,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\DigitalPersona\Bin\DPAgent.exe
c:\program files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
.
**************************************************************************
.
Completion time: 2012-04-17 07:49:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-17 11:49
.
Pre-Run: 432,536,649,728 bytes free
Post-Run: 433,655,746,560 bytes free
.
- - End Of File - - 41739867FE455D839295659768311096

Computer is running the same as before.

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 17 April 2012 - 06:15 PM

Greetings quiksilvermp3,

Is ProgramData\Start Menu the only one you are having difficulty with?

Edited by Oh My, 17 April 2012 - 06:15 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 quiksilvermp3

quiksilvermp3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 18 April 2012 - 06:59 AM

There was nothing in the desktop folder that needed to be copied. I haven't had trouble with any other folders.

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 18 April 2012 - 07:25 AM

Greetings quiksilvermp3,


I am going to provide more detailed instructions since there are many steps to take to gain access to restricted folders. You may have completed some already. If so, just skip those instructions.

Please see the following:


===================================================


Restoring Start Menu Folder Contents in Windows Vista/7

--------------------

Please do the following to set your system to show all fies and take ownership of restricted folders.

  • Click Start, type Folder in the search box, then click Folder Options near the top
  • Select the View Tab
  • Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck Hide protected operating system files (recommended)
  • Click OK
  • Close the Folder Options window
  • Please download Take Ownership and save it to your desktop
  • Double click the Posted Image icon, then double click InstallTakeOwnership
  • Click Run
  • Click Yes
  • Click OK
  • Open Windows Explorer, navigate to and right click C:\ProgramData
  • In the Context Menu list please locate and click on Take Ownership (similar to the below)

    Posted Image
  • A cmd screen will open and you should see lines of scrolling text.
  • Once completed, please continue with the below instructions

----------

Please copy and paste the contents of the following folders, as instructed:

  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\1
  • Paste: C:\Program Data\Start Menu
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\2
  • Paste: C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\3
  • Paste: C:\Users\user-name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\4
  • Paste: C:\Program Data\Desktop
----------

Please set your system to hide all hidden files and remove ownership of restricted folders.

  • Click Start, type Folder in the search box, then click Folder Options near the top
  • Click View Tab.
  • Under the Hidden files and folders heading, click Don't show hidden files and folders.
  • Click Hide protected operating system files (recommended)
  • Click OK
  • Close the Folder Options window
  • Double click the Posted Image icon on your desktop, then double click RemoveTakeOwnership
  • Click Run
  • Click Yes
  • Click OK
  • Please check to see if the items are now visible

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Have the items returned?
  • How is the computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 quiksilvermp3

quiksilvermp3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 18 April 2012 - 07:32 AM

I did this as you instructed before. The problem is that C:\ProgramData\Start Menu does not exist according to Windows Explorer with hidden files being shown. But if I try to create a new folder in ProgramData called Start Menu I am asked if I want to merge the new folder with the current folder named Start Menu.

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 18 April 2012 - 03:01 PM

Greetings quiksilvermp3,


Please perform the following for me.



Copy and paste the contents of the following folders into a different temporary folder:

  • C:\Users\user_name\AppData\Local\Temp\smtmp\1
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\2
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\3
  • Copy: C:\Users\user_name\AppData\Local\Temp\smtmp\4


===================================================


Run Combofix in Vista/7

--------------------

I would like to run ComboFix again.



  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt
  • Any changes to the computer?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 quiksilvermp3

quiksilvermp3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 AM

Posted 19 April 2012 - 06:57 AM

The folders in the Temp have been deleted somehow. Oh My thank you for your help but I have decided to reformat and reinstall the OS on this computer. Your help is greatly appreciated.

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:38 AM

Posted 19 April 2012 - 08:10 AM

Greetings quiksilvermp3,

Thank you for letting me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users