Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something deleted 98% of my pictures.


  • This topic is locked This topic is locked
26 replies to this topic

#1 FlyerX

FlyerX

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 April 2012 - 07:50 PM

Hi guys!

this is a continuation from here:
http://www.bleepingcomputer.com/forums/topic451156.html

resume of my situation:

i was testing some softwares for automatic screen capture, in the process, the antivirus or the firewall (dont remember) asked me to restart and i left the message box alone, and continue working in some time i had to disable the AV and the firewall to continue testing (installing, using and uninstalling the soft) i had to go out and left the computer unattended, when i came back i found it off, when i turn it on i found that it was off not hibernating and that was not a forced shut down because i receive no message, what i assume that maybe the restart request i left unattended had a countdown, ok, but the real problem is that i notice that the wall paper was black and when i went to the pictures folder i found that less than a dozen of my pictures are there, but recently i discovered that was not only in "my pictures" folder, in the whole USER folder almost all the pictures are gone.




Now, the last requested log/tests

Edited by FlyerX, 25 April 2012 - 07:51 PM.


BC AdBot (Login to Remove)

 


#2 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 April 2012 - 07:51 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by xuser at 0:20:06 on 2012-04-25
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.3082.18.2039.1237 [GMT -3:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Hewlett-Packard\HP 3D DriveGuard\accelerometerST.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 133.11.240.56:3128
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [AccelerometerSysTrayApplet] "c:\program files\hewlett-packard\hp 3d driveguard\AccelerometerSt.Exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
TCP: DhcpNameServer = 200.42.213.21 200.42.213.11
TCP: Interfaces\{3AB40BA1-1565-4000-9DBB-CABE4CDD1F01} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{7A40AA10-1AB5-4E52-9265-678EB8A554DE} : NameServer = 8.26.56.26,8.20.247.20
TCP: Interfaces\{CACEB943-49B7-4A3C-8E6F-228C4AC214CB} : NameServer = 8.26.56.26,8.20.247.20
TCP: Interfaces\{CACEB943-49B7-4A3C-8E6F-228C4AC214CB} : DhcpNameServer = 200.42.213.21 200.42.213.11
TCP: Interfaces\{D19BE4CF-E86F-42E7-8931-CEDFEA29F07A} : DhcpNameServer = 10.0.0.1 196.3.81.5 200.88.127.22
TCP: Interfaces\{FA387B59-E5CC-4DF3-A678-73226D517713} : DhcpNameServer = 10.0.0.1 196.3.81.5 200.88.127.22
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\xuser\appdata\roaming\mozilla\firefox\profiles\2xlxzimp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Hotspot Shield Helper (Please allow this installation): afurladvisor@anchorfree.com - c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-8 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 491816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 39640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-8 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-8 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-8 74640]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files\comodo\dragon\dragon_updater.exe [2012-4-13 409232]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-5-13 26168]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2012-3-16 16288]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet: NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-8-28 227896]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-3-11 242240]
R3 netw5v32;Controlador del adaptador Intel® Wireless WiFi Link 5000 Series para Windows Vista de 32 bits;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ArgusMonitor;ArgusMonitor kernel mode driver;c:\windows\system32\drivers\ArgusMonitor.sys [2011-4-12 37280]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-4-25 31232]
S3 StorSvc;Servicio de almacenamiento;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-3-20 52224]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
S4 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2012-3-26 542040]
S4 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
.
=============== Created Last 30 ================
.
2012-04-24 03:46:35 -------- d-----w- c:\programdata\Comodo
2012-04-24 03:46:28 -------- d-----w- c:\users\xuser\appdata\local\Comodo
2012-04-24 03:46:20 42760 ----a-w- c:\windows\system32\certsentry.dll
2012-04-24 02:37:21 -------- d-----w- c:\users\xuser\appdata\roaming\Avira
2012-04-23 23:07:04 -------- d-----w- c:\users\xuser\appdata\roaming\SUPERAntiSpyware.com
2012-04-23 23:06:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-23 23:06:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-23 21:30:39 -------- d-----w- c:\programdata\Malwarebytes
2012-04-23 21:30:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-23 21:30:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-23 15:37:46 -------- d-----w- c:\users\xuser\Captured screens backups
2012-04-23 15:30:57 -------- d-----w- c:\users\xuser\appdata\roaming\THeUDS
2012-04-23 15:30:43 -------- d-----w- c:\program files\AutoScreenShot
2012-04-18 21:30:33 -------- d-sh--w- C:\found.000
2012-04-18 15:56:39 -------- d-----w- c:\programdata\hssff
2012-04-05 19:20:13 615240 ----a-w- c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
2012-04-05 19:18:46 -------- d-----w- c:\programdata\Hotspot Shield
2012-04-05 19:17:56 -------- d-----w- C:\Hotspot Shield
2012-04-05 19:15:45 -------- d-----w- c:\program files\Hotspot Shield
2012-04-02 15:53:44 2812928 ----a-w- c:\windows\system32\FreeImage.dll
2012-03-30 05:10:15 -------- d-----w- c:\users\xuser\appdata\roaming\calibre
2012-03-27 03:43:20 -------- d-----w- c:\programdata\WindowsLiveInstaller
2012-03-27 02:53:16 -------- d-----w- c:\users\xuser\Tracing
2012-03-26 21:45:18 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2012-03-26 21:45:14 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
.
==================== Find3M ====================
.
2012-03-20 23:03:50 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-03-11 23:01:11 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-11 21:13:36 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-03-11 21:13:35 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-03-11 21:13:34 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-03-11 21:13:19 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2012-03-11 21:13:18 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 11:57:31 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
============= FINISH: 0:22:25.28 ===============

Attached Files


Edited by FlyerX, 25 April 2012 - 07:54 PM.


#3 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 29 April 2012 - 07:45 PM

Can at least run a full antivirus scan? i have (avira antivir)

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:59 PM

Posted 30 April 2012 - 08:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Post the log for my review.

===

While I check your log please secure your computer.


Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 23


===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.10 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

#5 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 01 May 2012 - 08:05 AM

ComboFix 12-05-01.01 - xuser 05/01/2012 8:39.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.3082.18.2039.1382 [GMT -3:00]
Running from: c:\users\xuser\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Outdated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Outdated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\xuser\AppData\Roaming\chrtmp
c:\users\xuser\AppData\Roaming\inst.exe
c:\users\xuser\AppData\Roaming\vso_ts_preview.xml
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))
.
.
2012-05-01 11:47 . 2012-05-01 11:50 -------- d-----w- c:\users\xuser\AppData\Local\temp
2012-04-30 00:10 . 2012-04-30 00:10 -------- d-----w- c:\program files\Recuva
2012-04-24 02:37 . 2012-04-24 02:37 -------- d-----w- c:\users\xuser\AppData\Roaming\Avira
2012-04-23 23:07 . 2012-04-23 23:07 -------- d-----w- c:\users\xuser\AppData\Roaming\SUPERAntiSpyware.com
2012-04-23 23:06 . 2012-04-23 23:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-23 23:06 . 2012-04-23 23:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-23 21:30 . 2012-04-23 21:30 -------- d-----w- c:\programdata\Malwarebytes
2012-04-23 21:30 . 2012-04-23 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-23 21:30 . 2012-04-04 18:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-23 15:37 . 2012-04-23 15:37 -------- d-----w- c:\users\xuser\Captured screens backups
2012-04-23 15:30 . 2012-04-23 15:30 -------- d-----w- c:\users\xuser\AppData\Roaming\THeUDS
2012-04-23 15:30 . 2012-04-23 17:59 -------- d-----w- c:\program files\AutoScreenShot
2012-04-18 21:30 . 2012-04-18 21:30 -------- d-----w- C:\found.000
2012-04-18 15:56 . 2012-04-18 15:56 -------- d-----w- c:\programdata\hssff
2012-04-05 19:20 . 2012-04-05 19:20 615240 ----a-w- c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
2012-04-05 19:18 . 2012-04-05 19:18 -------- d-----w- c:\programdata\Hotspot Shield
2012-04-05 19:17 . 2012-04-05 19:18 -------- d-----w- C:\Hotspot Shield
2012-04-05 19:15 . 2012-04-05 19:18 -------- d-----w- c:\program files\Hotspot Shield
2012-04-02 15:53 . 2011-07-24 16:24 2812928 ----a-w- c:\windows\system32\FreeImage.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-26 21:45 . 2012-03-26 21:45 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2012-03-26 21:45 . 2012-03-26 21:45 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2012-03-20 23:03 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-03-11 23:01 . 2012-03-11 23:01 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-11 21:13 . 2010-06-01 23:00 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-03-11 21:13 . 2010-06-04 15:55 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-03-11 21:13 . 2010-06-01 23:00 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-03-11 21:13 . 2010-06-01 23:00 301224 ----a-w- c:\windows\system32\guard32.dll
2012-02-17 05:34 . 2012-03-20 22:00 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-20 22:00 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-20 22:00 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 05:38 . 2012-03-20 22:00 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54 . 2012-03-20 22:00 2343424 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccelerometerSysTrayApplet"="c:\program files\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.Exe" [2009-07-13 68152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotSync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-16 13:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-01-10 23:25 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 00:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-08-04 18:34 1955208 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ArgusMonitor;ArgusMonitor kernel mode driver;c:\windows\system32\drivers\ArgusMonitor.sys [2011-04-12 37280]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]
R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2007-04-25 31232]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
R4 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 1361288]
R4 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [2012-03-26 542040]
R4 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2012-03-26 329544]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-16 36000]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-01-31 86224]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 26168]
S2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\ScFBPNT.SYS [2000-02-08 16288]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-11 242240]
S3 netw5v32;Controlador del adaptador Intel® Wireless WiFi Link 5000 Series para Windows Vista de 32 bits;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-10-16 47360]
.
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 133.11.240.56:3128
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 200.42.213.21 200.42.213.11
TCP: Interfaces\{3AB40BA1-1565-4000-9DBB-CABE4CDD1F01}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{7A40AA10-1AB5-4E52-9265-678EB8A554DE}: NameServer = 8.26.56.26,8.20.247.20
TCP: Interfaces\{CACEB943-49B7-4A3C-8E6F-228C4AC214CB}: NameServer = 8.26.56.26,8.20.247.20
FF - ProfilePath - c:\users\xuser\AppData\Roaming\Mozilla\Firefox\Profiles\2xlxzimp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Hotspot Shield Helper (Please allow this installation): afurladvisor@anchorfree.com - c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-COMODO - c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe
MSConfigStartUp-CPA - c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3188878607-3264248191-2653177-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3188878607-3264248191-2653177-1000)
@Denied: (2) (LocalSystem)
"Progid"="Microsoft Internet Mail Message WLMail"
.
[HKEY_USERS\S-1-5-21-3188878607-3264248191-2653177-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3188878607-3264248191-2653177-1000)
@Denied: (2) (LocalSystem)
"Progid"="Microsoft Internet Mail VCard WLMail"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\taskhost.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-05-01 08:55:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-01 11:55
.
Pre-Run: 9,090,351,104 bytes libres
Post-Run: 9,519,898,624 bytes libres
.
- - End Of File - - 7A152B1D696B765D83F4B80AF5ED0280

Edited by FlyerX, 01 May 2012 - 08:07 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:59 PM

Posted 01 May 2012 - 08:29 AM

Your log is clean.

Any remaining issues with this computer?

#7 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 01 May 2012 - 11:04 AM

yes, my pictures are missing yet

honestly after combofix ended i turned off the computer so i was unable to check the pictures came back, i said it's still missing because the wallpaper it's still black, i'll be at home within 8 hours, so i'll to check it if some of the other pics have come back



btw the combofix restarted the computer (just four your knowledge since i didn't read it would do that in the combofix user guide)

when finished (after the restart), i copy the log to a usb stick so to post it from the computer i am talking to you, but when i copy to the usb stick (in the computer with the problem) i tryed to open it to see everything it's ok and i received an error:

"C\Windows\System32\RunDll32.exe
Intento de operacion ilegal en una clave del Registro que estaba marcada para su eliminacion"

something about a registry key that was marked for delete...

just for your knowledge....

Edited by FlyerX, 01 May 2012 - 11:06 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:59 PM

Posted 01 May 2012 - 12:26 PM

"C\Windows\System32\RunDll32.exe
Intento de operacion ilegal en una clave del Registro que estaba marcada para su eliminacion"

something about a registry key that was marked for delete..


This should be fixed after you restart the computer again.
===

Try this tool to unhide your files if they exist.
http://www.bleepingcomputer.com/forums/topic405109.html

#9 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 01 May 2012 - 06:57 PM

"C\Windows\System32\RunDll32.exe
Intento de operacion ilegal en una clave del Registro que estaba marcada para su eliminacion"

something about a registry key that was marked for delete..


This should be fixed after you restart the computer again.
===

Try this tool to unhide your files if they exist.
http://www.bleepingcomputer.com/forums/topic405109.html



I'l be at home within an hour...

The files does exist, i can't even see it from linux but when i tried a recovery soft.. i saw them and in their respective locations, may be you wonder why i did not just use the recovery soft if i already saw them there... the problem is that i should have to relocate every single file, because even JPGs from games and softwares were erased/hidden..

#10 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 01 May 2012 - 08:45 PM

Ok, i confirm
the computer is in the same state, most of the pictures are not there, but the same space in disk as when they were there

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:59 PM

Posted 02 May 2012 - 09:26 AM

Technically all deleted files are still on the Hard disk. They are just marked as deleted by the operating system.
The space can be used by the operating system to save other files you want to save. If the operating system uses the space taken by the deleted file then they are forever gone.

Try to restore as many files as you can.

Do not save any new files as you may write over the files that are marked as deleted and the space will be used by the operating system for these new files.

When ready your can clean this.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#12 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 02 May 2012 - 07:23 PM

wow, that is a hard work i wold have most likely to install every single program, because not only my personal pictures but every single picture of programs...., icons, logos etc....

isn't there any way/fix the files just came back to their original position?

what software you recommend for restoring files? i have Getdataack NTFS and Recuva, Getdataback recover many duplicated files which can easily make more than 200gb witch surpass my backup available space.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:59 PM

Posted 03 May 2012 - 08:38 AM

Both recovery tools are good. Use the one you are most familiar with.

The recovered files will be recovered in your Hard Disk. If space is a concern then when recovered move the file to a CD or external hard driver.

#14 FlyerX

FlyerX
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 03 May 2012 - 11:12 AM

well... thanks for the help

isn't a waythe files just came back to their location?, is it?because the manual reloction of each set will takes me months, apparently the easier way would be reinstallin everythin gain (in the case of the softwares with it's missing jpgs).

and... there are some (the ones i have notice) pics not found even with the recovery software, for example; the picture used as wallpaper, i was unable to find it with the recovery...

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:59 PM

Posted 03 May 2012 - 12:52 PM

isn't a waythe files just came back to their location?, is it?because the manual reloction of each set will takes me months, apparently the easier way would be reinstallin everythin gain (in the case of the softwares with it's missing jpgs).

Reinstalling the programs to the same folder will give you the default icons, programs files. It will not get the files that you have created with the program.

and... there are some (the ones i have notice) pics not found even with the recovery software, for example; the picture used as wallpaper, i was unable to find it with the recovery...

They have probably been over written by the operating system.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users