Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log


  • This topic is locked This topic is locked
26 replies to this topic

#1 MelissaBrook

MelissaBrook

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 25 April 2012 - 12:48 PM

Mod Edit: MOVED to Virus,Trojan and Malware Removal Logs ~~boopme

Hi, I've been working with a fantastic tech guy over the phone and here's the problems & steps taken so far:

1. Blue screen of death then icons and data vanished, no access to any of it although "My Pictures" still came up on screen saver.

Steps taken: In safe mode downloaded and ran SuperAntiSpyWare and Malwarebytes which found and cleaned,among many smaller threats, "trojan.agent/gen-injector" Was then able to use unhide.exe to find my data, ran ccleaner and defragler. All was going well but then the icons all started disappearing again and I had to rerun both Malware and Superantispyware.

I'd been having hijacking problems recently and it's gotten worse (besides getting reinfected immediately) so I was instructed to run hijackthis but to be very careful about what i deleted. I'm wondering if someone who knows what they're doing (that would not be me!) could look at the log and help me to proceed.

Thank you so much in advance!

Attached Files


Edited by boopme, 25 April 2012 - 01:09 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 27 April 2012 - 06:30 PM

Hi,

Please do the following:



Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 28 April 2012 - 02:04 PM

Thank you and here are the attachments from those scans.

I really appreciate your help!

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 28 April 2012 - 04:56 PM

Hi,

Please do the following:


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 28 April 2012 - 05:53 PM

Here's the log...

Thank you!

Attached Files

  • Attached File  log.txt   13.22KB   1 downloads


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 28 April 2012 - 08:30 PM

Hi,

Please do the following:


Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 29 April 2012 - 10:13 AM

I ran those scans-here are the results.

Wondering if I can run unhide.exe while we're still working on this as the initial instructions said not to do anything else. Also, I'm working on the computer doing some thing I need to-should I stay in safe mode? I was until yesterday but needed access to something so opened in regular mode.

Thanks again for your help!

Melissa

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 29 April 2012 - 06:00 PM

Hi,

we have to dequarantine the items in ComboFix quarantine first, then run unhide



please delete the copy of combofix that you have on your desktop and download a fresh copy, then run the following script:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Dequarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\_wmvds32_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_wmv8ds32_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_wiasf_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_vidcap_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_vbisurf_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_msscds32_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_msadds32_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_mpg4ds32_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_mpg2splt_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_mpeg2data_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ksproxy_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_g711codc_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ativmvxx_.ax.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ativdaxx_.ax.zip
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\Show Desktop.scf
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\Mozilla Firefox.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\Quicken Home & Business 2009.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\Microsoft Office Word 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\Launch Internet Explorer Browser.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\E-mail.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\2\iTunes.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows PowerShell 1.0\Windows PowerShell.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows PowerShell 1.0\Release Notes.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows PowerShell 1.0\User Guide.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows PowerShell 1.0\Quick Reference.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Free Edition.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Help.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Registration-Activation.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows PowerShell 1.0\Getting Started.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\Windows Search.lnk C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\BootSafe.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Alternate Start.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\TotalMedia Backup Monitor.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\HP Image Zone Fast Start.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\HP Digital Imaging Monitor.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\Adobe Reader Synchronizer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Startup\Adobe Reader Speed Launch.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Shutterfly\Shutterfly Express Uploader.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Seagate\Seagate Manager\Seagate Status Icon.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Seagate\Seagate Manager\Seagate Manager.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Seagate\muvee autoProducer 6.1 Seagate Edition\Quick Tour.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Seagate\muvee autoProducer 6.1 Seagate Edition\muvee autoProducer 6.1 Help.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Seagate\muvee autoProducer 6.1 Seagate Edition\muvee autoProducer 6.1 Seagate Edition.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Seagate\Seagate muvee autoProducer 6.1.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Real\RealPlayer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Real\RealPlayer Trimmer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Real\RealPlayer Converter.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Qwest Personal Digital Vault\Qwest Personal Digital Vault.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\QuickTime\Uninstall QuickTime.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\QuickTime\QuickTime Player.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\QuickTime\PictureViewer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\QuickTime\About QuickTime.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Quicken 2012\Quicken Online Backup.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Quicken 2012\Quicken 2012.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Quicken 2012\Billminder.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\OLYMPUS CAMEDIA\ReadMe.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\OLYMPUS CAMEDIA\Reference Manual.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\OLYMPUS CAMEDIA\CAMEDIA Master.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\OLYMPUS CAMEDIA\CAMEDIA Master Help.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Mozilla Firefox\Mozilla Firefox.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Mozilla Firefox\Mozilla Firefox (Safe Mode).lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Silverlight\Microsoft Silverlight.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office Picture Manager.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office Diagnostics.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office 2007 Language Settings.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Clip Organizer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Word 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Digital Certificate for VBA Projects.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Word 2007 (2).lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office PowerPoint 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Outlook 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Access 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Excel 2007.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Uninstall Malwarebytes Anti-Malware.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Tools\Malwarebytes Anti-Malware Chameleon.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware Help.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\iTunes\iTunes.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\iTunes\About iTunes.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HTS_iNet\Switch Print Drivers.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HTS_iNet\HTS Manual.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HTS_iNet\HTS 7.31.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\OfficeJet All-In-One 6200 series\Readme.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\OfficeJet All-In-One 6200 series\Uninstall.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\OfficeJet All-In-One 6200 series\Help.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\OfficeJet All-In-One 6200 series\Product Registration.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\OfficeJet All-In-One 6200 series\Product Support Website.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\Image Zone .lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\System Diagnostics.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\HP Update.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\HP Product Assistant.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\HP Image Zone Tour.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\HP Document Viewer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\HP\HP Director.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Spider Solitaire.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Solitaire.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Pinball.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Minesweeper.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Spades.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Reversi.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Hearts.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Checkers.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Backgammon.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Hearts.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\Freecell.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Games\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ESET\ESET NOD32 Antivirus\Uninstall.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ESET\ESET NOD32 Antivirus\License agreement.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ESET\ESET NOD32 Antivirus\ESET SysRescue.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ESET\ESET NOD32 Antivirus\ESET NOD32 Antivirus.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ESET\ESET NOD32 Antivirus\ESET SysInspector.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ESET\ESET NOD32 Antivirus\Documentation.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\DynamicReader_iNet\Switch Print Drivers.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\DynamicReader_iNet\DynamicReader Manual.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\DynamicReader_iNet\DynamicReader 1.10.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Dell Accessories\Dell ResourceCD.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Defraggler\Uninstall Defraggler.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Defraggler\Defraggler Homepage.url
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Defraggler\Defraggler.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Coupons\Uninstall Coupon Printer for Windows.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Carbonite\Carbonite Online Backup Setup.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\CCleaner\CCleaner Homepage.url
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\CCleaner\CCleaner.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\CCleaner\Uninstall CCleaner.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Coupons\Coupons.com.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ArcSoft TotalMedia Backup\TotalMedia Backup.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ArcSoft TotalMedia Backup\TotalMedia Backup Monitor.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Wizards.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Performance.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Services.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\ArcSoft Connect\View My ArcSoft Info.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Configuration.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Event Viewer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Data Sources (ODBC).lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Computer Management.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Component Services.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Scheduled Tasks.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\System Information.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\System Restore.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Disk Defragmenter.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Character Map.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Disk Cleanup.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Entertainment\Volume Control.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Entertainment\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Entertainment\Sound Recorder.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\New Connection Wizard.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Network Setup Wizard.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Network Connections.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Accessibility\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\HyperTerminal.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Accessibility\Accessibility Wizard.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\WordPad.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Remote Desktop Connection.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Scanner and Camera Wizard.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Windows Movie Maker.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows Messenger.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Windows Search.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Calculator.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Paint.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Safari.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\MSN Explorer.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\PowerDVD.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Mozilla Firefox.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Apple Software Update.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\I.R.I.S. OCR Registration.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Acrobat Reader 5.0.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Programs\Adobe Reader 8.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Windows Catalog.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Windows Update.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\desktop.ini
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\HP  Image Zone.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\HP Director.lnk
C:\Qoobox\Quarantine\C\DOCUME~1\Melissa\LOCALS~1\Temp\smtmp\1\Set Program Access and Defaults.lnk
C:\Qoobox\Quarantine\catchme.log
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\dlimport.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\ksproxy.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.local.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\msvcr71.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorsn.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorwks.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\fusion.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\wmpvis.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\ativdaxx.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\ativmvxx.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\mpeg2data.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\vidcap.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\wmvds32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\wmv8ds32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiasf.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\vbisurf.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\msscds32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg2splt.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg4ds32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\l3codecx.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\g711codc.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\acelpdec.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\regtlib.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\ivfsrc.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\iac25_32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\ir41_32.ax.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\_000009_.tmp.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\_000010_.tmp.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\_000013_.tmp.dll.vir

Quit::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



NEXT

run unhide.exe

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.


NEXT


re-scan with comboFix without the script, please post both ComboFix logs

let me know how the computer is running now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 30 April 2012 - 11:11 AM

I will do this when i return home later today but I don't think i know how to disable scriptblocking. Thanks!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 30 April 2012 - 11:51 AM

hi, don't worry about the script blocking, it would be included with the AV, so as long as your AV is disabled, you will be fine

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 30 April 2012 - 05:05 PM

I THINK I did this according to instructions. I couldn't turn off ESET unless i was in normal mode and couldn't get to this page unless i was in safe mode. Have to run now but so will see how computer is running later. In the meantime here are the logs and thank you again for all your help!

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 30 April 2012 - 05:12 PM

Did unhide.exe run successfully?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 30 April 2012 - 10:22 PM

Yes, it looks like everything is visible now. I did try to Google something and still got hijacked-also can't click "Google" (nothing happens), only "I feel lucky" or type into the address bar directly...

I'm running an ESET scan right now and so far it's showing 5 infiltrations but I won't know what they are until it's finished. Updated Superantispyware and was planning to run that as well as Malwarebytes. Maybe I should wait to hear back from you re the logs first?

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:11 PM

Posted 01 May 2012 - 06:44 AM

yes,

we still have more work to do, so I'd like to see the ESET log first before we move on, I just wanted to make sure you had all your icons back

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 MelissaBrook

MelissaBrook
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 01 May 2012 - 12:37 PM

Sorry, I think I got impatient... Here is the ESET log. I terminated it before it was finished because I needed to go to bed and didn't want to leave my computer on all night. I'll wait to do anything else until I hear from you. Could you let me know if it's unwise for me to do any online banking with what I have going on. I will do it on my husband's computer until I hear back.

Thanks so much!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users