Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to recover IE favorites after "System Error. Hard disk failure detected" attack


  • Please log in to reply
19 replies to this topic

#1 acomputerdummy

acomputerdummy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 04 September 2012 - 08:54 AM

Hello, New here and hope I am posting at the right place.

We were attacked by the fake "System Error. Hard disk failure detected" virus as detailed here:

http://www.deletevirus.net/system-error-hard-disk-failure-detected-fake-alert/

I removed the virus using MBAM and followed instructions here:

http://www.deletevirus.net/how-to-restore-files-missing-because-of-virus/

to recover some shortcuts on the desktop and the Start menu.

Now the IE favorite is still empty. Is it possible to recover and if so how? Thanks!

OS is Win 7 64 bit.

Edited by acomputerdummy, 04 September 2012 - 08:56 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 04 September 2012 - 09:01 AM

If you have followed that guide then you may be still infected.

Do not turn off your restore points.It may help us restore IE favorites



Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 04 September 2012 - 09:02 AM.


#3 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 04 September 2012 - 10:51 AM

Thanks for the quick reply! I tried out TDSSkiller on my laptop (not the infected desktop) and it scanned clean. Then I tried aswMBR on the laptop and it crashed big time. After finishing C:\Windows\System32 (IIRC), it was scanning some temp file (IIRC) when all of a sudden I saw a quick flash of the Blue Screen of Death and the laptop restarted and said Windows wasn't shut down properly on startup. What's going on? Should I try aswMBR one more time and see what happens? Thanks!

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 04 September 2012 - 10:55 AM

Press Windows+R key and type

%temp% and click ok

If you find SMTMP folder,copy it to a safe location

Now clear the temp files.Run ASWMBR again.If it still crashes,run it in safemode with networking

Edited by narenxp, 04 September 2012 - 10:57 AM.


#5 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 04 September 2012 - 11:17 AM

Thanks! Sorry for the dumb question but what did you mean by "clear the temp files"? Did you mean delete the SMTMP folder or delete everything under the %temp% folder? In general is it good idea to delete files or folders under the %temp% folder? Thanks!

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 04 September 2012 - 11:20 AM

If you find SMTMP folder,copy it to a safe location


If you find a folder called SMTMP in TEMP directory.Copy it to your desktop.

You can delete all other files from TEMP folder.SMTMP folder would be helpful for us later.

#7 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 05 September 2012 - 07:15 AM

OK this is the result from my laptop. TDSSkiller and aswMBR both scanned clean. ESET found 4 threats but may just be false alarm since the files were downloaded from cnet and supposed to be clean:

C:\Program Files (x86)\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Toolbar.Widgi application
D:\Download\AV\Full Video Converter Free\cnet_full_video_converter_free_exe.exe a variant of Win32/InstallCore.D application
D:\Download\AV\MP3\freeripmp3-setup.exe multiple threats
D:\Download\PDF\PDFCreator-1_2_3_setup.exe Win32/Toolbar.Widgi application

What do you think?

I will move on to the desktop next.

Is it possible to recover/restore IE favorites before finishing all the scans?


#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 05 September 2012 - 08:16 AM

what is your operating system? I still need your logs

#9 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 05 September 2012 - 08:47 AM

Win 7 Pro 64 bit

ESET log already posted above. Did you mean you still need the other two scan logs even though they came back clean?

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 05 September 2012 - 09:06 AM

Yes

Go to your user profile folder

C:\users\Username

Right click on FAVORITES folder

right click on Favorites folder,click on restore previous versions

Now select a snapshot before you were infected by the rogue,click on restore

You should get back the IE favorites

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.


Download

adware cleaner

Launch it click on Delete

post the generated log

Edited by narenxp, 05 September 2012 - 09:07 AM.


#11 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 05 September 2012 - 02:05 PM

OK this is for the laptop again as a dry run:

MBAM scan all clean.

MiniToolBox:

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [94208] (Apple Computer, Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)


========================= Event log errors: ===============================

Application errors:
==================
Error: (09/04/2012 02:37:09 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (09/04/2012 02:37:02 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (09/04/2012 02:37:02 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (09/04/2012 02:36:51 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (09/04/2012 11:39:14 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/17/2012 10:15:10 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2012 03:29:12 PM) (Source: Application Hang) (User: )
Description: The program notepad++.exe version 6.1.3.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 88dc

Start Time: 01cd64dfd82269a7

Termination Time: 15

Application Path: C:\Program Files (x86)\Notepad++\notepad++.exe

Report Id: d23dc702-da7c-11e1-add4-f0def1bb20e4

Error: (07/20/2012 08:06:53 PM) (Source: Application Error) (User: )
Description: Faulting application name: FlashPlayerPlugin_11_3_300_265.exe, version: 11.3.300.265, time stamp: 0x4febd5ac
Faulting module name: NPSWF32_11_3_300_265.dll, version: 11.3.300.265, time stamp: 0x4febd798
Exception code: 0xc0000005
Fault offset: 0x004923d1
Faulting process id: 0x6a8c
Faulting application start time: 0xFlashPlayerPlugin_11_3_300_265.exe0
Faulting application path: FlashPlayerPlugin_11_3_300_265.exe1
Faulting module path: FlashPlayerPlugin_11_3_300_265.exe2
Report Id: FlashPlayerPlugin_11_3_300_265.exe3

Error: (07/17/2012 02:26:26 PM) (Source: Application Hang) (User: )
Description: The program notepad++.exe version 6.1.3.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1ac4

Start Time: 01cd61eb9991b3b2

Termination Time: 8

Application Path: C:\Program Files (x86)\Notepad++\notepad++.exe

Report Id: e567f764-d03c-11e1-add4-f0def1bb20e4

Error: (07/14/2012 09:52:38 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (09/05/2012 08:08:12 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (09/04/2012 11:38:29 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 11:36:49 AM on ?9/?4/?2012 was unexpected.

Error: (09/04/2012 08:22:00 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (09/04/2012 08:22:00 AM) (Source: Microsoft-Windows-GroupPolicy) (User: zzzz)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (09/04/2012 08:21:47 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain zzzz due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (08/31/2012 04:12:11 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, is not ready for access yet.

Error: (08/31/2012 04:12:11 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, is not ready for access yet.

Error: (08/31/2012 07:51:44 AM) (Source: Microsoft-Windows-GroupPolicy) (User: zzzz)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/31/2012 07:51:44 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/30/2012 07:52:26 AM) (Source: Microsoft-Windows-GroupPolicy) (User: zzzz)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.


Microsoft Office Sessions:
=========================
Error: (09/04/2012 02:37:09 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestD:\Download\Security\ESET online scanner\esetsmartinstaller_enu.exe

Error: (09/04/2012 02:37:02 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestD:\Download\Security\ESET online scanner\esetsmartinstaller_enu.exe

Error: (09/04/2012 02:37:02 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestD:\Download\Security\ESET online scanner\esetsmartinstaller_enu.exe

Error: (09/04/2012 02:36:51 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestD:\Download\Security\ESET online scanner\esetsmartinstaller_enu.exe

Error: (09/04/2012 11:39:14 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/17/2012 10:15:10 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2012 03:29:12 PM) (Source: Application Hang)(User: )
Description: notepad++.exe6.1.3.088dc01cd64dfd82269a715C:\Program Files (x86)\Notepad++\notepad++.exed23dc702-da7c-11e1-add4-f0def1bb20e4

Error: (07/20/2012 08:06:53 PM) (Source: Application Error)(User: )
Description: FlashPlayerPlugin_11_3_300_265.exe11.3.300.2654febd5acNPSWF32_11_3_300_265.dll11.3.300.2654febd798c0000005004923d16a8c01cd63520b89b11eC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exeC:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dllf968a4d0-d2c7-11e1-add4-f0def1bb20e4

Error: (07/17/2012 02:26:26 PM) (Source: Application Hang)(User: )
Description: notepad++.exe6.1.3.01ac401cd61eb9991b3b28C:\Program Files (x86)\Notepad++\notepad++.exee567f764-d03c-11e1-add4-f0def1bb20e4

Error: (07/14/2012 09:52:38 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


=========================== Installed Programs ============================

7-Zip 9.22beta
Adobe AIR (Version: 2.6.0.19140)
Adobe Anchor Service CS3 (Version: 1.0)
Adobe Asset Services CS3 (Version: 3)
Adobe Bridge CS3 (Version: 2)
Adobe Bridge Start Meeting (Version: 1.0)
Adobe Camera Raw 4.0 (Version: 4.0)
Adobe CMaps (Version: 1.0)
Adobe Color - Photoshop Specific (Version: 1.0)
Adobe Color Common Settings (Version: 1.0)
Adobe Color EU Extra Settings (Version: 1.0)
Adobe Color JA Extra Settings (Version: 1.0)
Adobe Color NA Recommended Settings (Version: 1.0)
Adobe Default Language CS3 (Version: 1.0)
Adobe Device Central CS3 (Version: 1.0)
Adobe ExtendScript Toolkit 2 (Version: 2.0)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.2.202.228)
Adobe Flash Player 11 Plugin (Version: 11.4.402.265)
Adobe Fonts All (Version: 1.0)
Adobe Help Viewer CS3 (Version: 1)
Adobe Linguistics CS3 (Version: 3.0.0)
Adobe PDF Library Files (Version: 8.0)
Adobe Photoshop CS3 (Version: 10)
Adobe Photoshop CS3 (Version: 10.0)
Adobe Setup (Version: 1.0)
Adobe Shockwave Player 11.5 (Version: 11.5.9.620)
Adobe Stock Photos CS3 (Version: 1.5)
Adobe Type Support (Version: 1.0)
Adobe Update Manager CS3 (Version: 5.1.0)
Adobe Version Cue CS3 Client (Version: 3)
Adobe WinSoft Linguistics Plugin (Version: 1.0)
Adobe XMP Panels CS3 (Version: 1.0)
Apple Application Support (Version: 1.4.1)
Apple Software Update (Version: 2.1.1.116)
Aspell English Dictionary-0.50-2
Beyond Compare Version 3.3.4
Boost C++ Libraries 1.47
Canon CanoScan Toolbox 5.0
CanoScan LiDE 600F
Conexant 20672 SmartAudio HD (Version: 8.32.23.2)
Cool Edit Pro 2.1
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
doxygen 1.8.0 (Version: 1.8.0)
DVDFab 8.1.7.3 (01/04/2012) Qt
EAGLE 6.2.0 (Version: 6.2.0)
EASEUS Partition Master 9.1.0 Home Edition
ESET Online Scanner v3
FastStone Capture 4.8 (Version: 4.8)
FileZilla Client 3.5.3 (Version: 3.5.3)
FortiClient SSL VPN v4.0.2085 (Version: 4.0.2085)
Foxit Reader (Version: 5.3.1.606)
Free Audio Converter version 5.0.6.221 (Version: 5.0.6.221)
FreeRIP 3.80 (Version: 3.80)
Gadwin PrintScreen (Version: 4.5)
GNU Aspell 0.50-3
Google Earth Plug-in (Version: 6.2.2.6613)
Google SketchUp 8 (Version: 3.0.11752)
Google Update Helper (Version: 1.3.21.115)
HWiNFO64 Version 3.91 (Version: 3.91)
HxD Hex Editor version 1.7.7.0 (Version: 1.7.7.0)
Integrated Camera Driver Installer Package Ver.1.1.0.1141 (Version: 1.1.0.1141)
Integrated Camera TWAIN (Version: 1.0.11.1223)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2154)
Intel® Network Connections Drivers (Version: 15.4)
Intel® Turbo Boost Technology Monitor (Version: 1.0.186.3)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 24 (64-bit) (Version: 6.0.240)
Java™ 6 Update 33 (Version: 6.0.330)
KeepNote 0.7.8
Lenovo Auto Scroll Utility (Version: 1.00)
Lenovo Patch Utility (Version: 1.00.0000)
Lenovo Patch Utility 64 bit (Version: 1.20.0001)
Lenovo System Interface Driver (Version: 1.05)
LiveUpdate 3.3 (Symantec Corporation) (Version: 3.3.0.96)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Mathematica Extras 8.0 (2615434) (Version: 8.0.4)
MATLAB R2012a (Version: 7.14)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Help Viewer 1.1 (Version: 1.1.40219)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Standard 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft SQL Server Compact 3.5 SP2 ENU (Version: 3.5.8080.0)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (Version: 3.5.8080.0)
Microsoft Visual C++ Compilers 2010 Standard - enu - x86 (Version: 10.0.40219)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (Version: 9.0.30729.4974)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Runtime - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 Express - ENU (Version: 10.0.40219)
Microsoft Visual Studio 2010 Express Prerequisites x64 - ENU (Version: 10.0.40219)
Microsoft Visual Studio 2010 Service Pack 1 (Version: 10.0.40219)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31119)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31124)
Monkey's Audio
Mozilla Firefox 15.0 (x86 en-US) (Version: 15.0)
Mozilla Maintenance Service (Version: 15.0)
NetBeans IDE 7.1 (Version: 7.1)
Notepad++ (Version: 6.1.3)
On Screen Display (Version: 6.30.00)
Orbit Downloader
PDF Settings (Version: 1.0)
PDFCreator (Version: 1.2.3)
Python 2.7.3 (Version: 2.7.3150)
QuickTime (Version: 7.69.80.9)
RapidBoot (Version: 1.12)
RICOH Media Driver v2.10.18.02 (Version: 2.10.18.02)
Skype Toolbars (Version: 5.3.7555)
Skype™ 5.3 (Version: 5.3.120)
Symantec Endpoint Protection (Version: 11.0.6005.562)
System Update (Version: 4.01.0015)
ThinkPad Bluetooth with Enhanced Data Rate Software (Version: 6.2.1.3200)
ThinkPad FullScreen Magnifier (Version: 2.24)
ThinkPad Power Management Driver (Version: 1.64.00.00)
ThinkPad Power Manager (Version: 3.65)
ThinkPad UltraNav Driver (Version: 15.3.34.0)
ThinkPad UltraNav Utility (Version: 2.13.0)
ThinkVantage Active Protection System (Version: 1.75)
ThinkVantage Communications Utility (Version: 1.44)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598289) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Vim 7.3 (self-installing)
VLC media player 1.1.11 (Version: 1.1.11)
Windows Driver Package - Broadcom (BTHUSB) Bluetooth (04/08/2010 6.3.5.430) (Version: 04/08/2010 6.3.5.430)
Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405) (Version: 07/30/2009 6.2.0.9405)
Windows Driver Package - Broadcom Bluetooth (09/11/2009 6.2.0.9407) (Version: 09/11/2009 6.2.0.9407)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800) (Version: 07/28/2009 6.2.0.9800)
Windows XP Mode (Version: 1.3.7600.16423)
Wolfram Mathematica 8 (M-WIN-L 8.0.4 2615665) (Version: 8.0.4)

========================= Memory info: ===================================

Percentage of memory in use: 42%
Total physical RAM: 8075.23 MB
Available physical RAM: 4651.84 MB
Total Pagefile: 8073.43 MB
Available Pagefile: 4964.25 MB
Total Virtual: 4095.88 MB
Available Virtual: 3969.98 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:88.83 GB) (Free:45.56 GB) NTFS
2 Drive d: (Work) (Fixed) (Total:209.16 GB) (Free:132.44 GB) NTFS


FSS: nothing out of ordinary; Windows Defender is off because of Norton

Farbar Service Scanner Version: 06-08-2012
Ran by llll (administrator) on 05-09-2012 at 14:01:45
Running from "D:\Download\Farbar Service Scanner"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

adware cleaner:

It flagged pdfforge again but it's probably false alarm

# AdwCleaner v2.000 - Logfile created 09/05/2012 at 15:01:25
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : llll
# Boot Mode : Normal
# Running from : D:\Download\Security\Adware cleaner\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\llll\AppData\Roaming\pdfforge

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\llll\AppData\Roaming\Mozilla\Firefox\Profiles\685z3tsi.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [882 octets] - [05/09/2012 14:13:48]
AdwCleaner[R2].txt - [823 octets] - [05/09/2012 15:01:25]

########## EOF - C:\AdwCleaner[R2].txt - [882 octets] ##########

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 05 September 2012 - 02:06 PM

Did you restore your IE favorites?

download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here

#13 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 05 September 2012 - 03:10 PM

Sorry I will get to IE on the desktop in a few hours.

From the laptop:

RKill: Looks all OK except the "NoActiveDesktopChanges". What is it?

Rkill 2.3.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/05/2012 03:55:32 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* No malware processes found to kill.

Checking Registry for malware related settings.

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\llll\Desktop\rkill\rkill-09-05-2012-03-55-41.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/05/2012 03:55:51 PM
Execution time: 0 hours(s), 0 minute(s), and 18 seconds(s)

#14 acomputerdummy

acomputerdummy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 07 September 2012 - 07:43 AM

OK got the favorites back on the desktop. It turned out that what the virus did was to make the favorites files hidden. Unhiding the files did the trick. There are many many other files got hidden as well, making other applications not working. Is it OK to unhide everything (including system files/folders that are normally hidden)?

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:39 AM

Posted 07 September 2012 - 08:28 AM

If you want to hide them,you have manually change their attributes to hidden.


Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot.If TFC locks up the system,run it in safemode

Turn off your system restore,restart the PC,create a new restore point

http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off

Update your JAVA from here

http://java.com/en/download/inc/windows_upgrade_xpi.jsp

Update your flash player

Update your antivirus frequently,do not click on suspicious links

Safe surfing :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users