Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus ate all my Desktop icons


  • Please log in to reply
11 replies to this topic

#1 Depthcharge

Depthcharge

  • Members
  • 248 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 24 November 2013 - 02:48 PM

as well as toolbar icons. Also, computer makes strange noises (bells, chimes, etc..) at strange seemingly random times. This is my mother's computer. She runs AVG Free. Her default browser is Explorer. I have a User account on this machine, but use Firefox and I'm experiencing no issues other than slightly slower load times. On my own machine some years back I caught a bug which also ate my pointer and played strange music and ads. She claims she was trying to update Java., but, at first, there were shortcuts for PCFix or RunFast (?) on the desktop before everything dissapeared.



BC AdBot (Login to Remove)

 


#2 Greg62702

Greg62702

  • Banned
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 24 November 2013 - 03:19 PM

Follow the info at http://forums.majorgeeks.com/showthread.php?t=35407 and follow the info to a T, for checking the machine for nasties.  I doubt a virus ate the desktop and toolbar icons.  More like mom was deleting stuff, that she thought that she did not need.  Been happening since the days of Windows 3.1, that users would delete files on the computer, thinking that they did not need them, in turn killed the machine.

 

As for the beeps and chimes, could be that she has Ease of Access turned on.  Never rule out the problem being the thing sitting in the chair in front of the computer, and not a virus.



#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:05 AM

Posted 25 November 2013 - 10:07 AM

It is your choice whether to follow the instructions at Major Geeks or wait until one of the malware removal experts replies to you here.

Our general policy is NOT to send you somewhere else for the help you need.

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:05 PM

Posted 25 November 2013 - 12:20 PM

Hi Depthcharge,

 

Actually, it sounds like explorer might not running for some reason. Let's see if that is our problem, press ctrl + alt + delete on the keyboard and a menu should load. Click on Start Task Manager. On task manager you should see file at the top, click on that and then you should see a dropdown menu with New Task (Run...) on it. Click on run and in the windows that appears type explorer and press OK. You should now see your desktop; tell me if you get this far, or if you have any problems.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Depthcharge

Depthcharge
  • Topic Starter

  • Members
  • 248 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 28 November 2013 - 09:36 PM

Apolgies. Busy around the holiday. Thankyou for the reply. I've done as you've suggested, but Explorer does not run. Firefox appears fine still. Some Icons have returned and the others are easy enough to replace, but I still fear infection. My scans have come up negative. I can run MalwareBytes again or AVG.



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:05 PM

Posted 29 November 2013 - 01:24 PM

Hi Depthcharge,
 
No worries. Do you see a desktop similar to either of these images (take note of the taskbar and start/windows button please - if you are running windows 8 then there is be no start/windows button)?:
 
http://toastytech.com/guis/win7default.jpg
http://www.guidebookgallery.org/pics/gui/desktop/empty/winxppro.png
 
You can replace the icons, as I'm not sure whether we will be able to get them back.
 
Let's get some scans to work from anyhow:
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

--------

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

--------

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.

***Do NOT select Delete!

  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

--------
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
 
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
 
xXToffeeXx~


Edited by xXToffeeXx, 29 November 2013 - 01:25 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 Depthcharge

Depthcharge
  • Topic Starter

  • Members
  • 248 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 30 November 2013 - 08:06 PM

Hello again, xXToffeeXx. I hope you had a good Tg. Yes, Desktop is similar to the toastytech link. Proceeding with JRT now. Log will follow.



#8 Depthcharge

Depthcharge
  • Topic Starter

  • Members
  • 248 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 30 November 2013 - 08:36 PM

JRT log follows below. Awaiting ok to proceed to ADW.

 

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by ANDREA on Sat 11/30/2013 at 20:12:39.41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] cltmngsvc
Successfully deleted: [Service] cltmngsvc



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1572161720-2650577712-1865216205-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\dynconie.dynconieobject
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\dynconie.dynconieobject.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\dynconie
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\searchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\updatewhilokii_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\updatewhilokii_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\searchprotect
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10AD2C61-0898-4348-8600-14A342F22AC3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}



~~~ Files

Successfully deleted: [File] "C:\Users\ANDREA\appdata\locallow\SkwConfig.bin"



~~~ Folders

Successfully deleted: [Folder] "C:\Users\ANDREA\appdata\local\searchprotect"
Successfully deleted: [Folder] "C:\Program Files (x86)\24x7help"
Failed to delete: [Folder] "C:\Program Files (x86)\searchprotect"
Successfully deleted: [Folder] "C:\Program Files (x86)\social privacy"



~~~ FireFox

Successfully deleted the following from C:\Users\ANDREA\AppData\Roaming\mozilla\firefox\profiles\m9nj5n42.default\prefs.js

user_pref("extensions.dynconff.cache.www.avg.com.content", "<package expire=\"3600\" es=\"914\" pcdids=\"_1520_1674_1164_1524_1146_1169_1348_1482_1493_1521\"><content id=\"MB_
user_pref("extensions.dynconff.cache.www.bleepingcomputer.com.content", "<package expire=\"3600\" es=\"914\" pcdids=\"_1520_1674_1164_1524_1146_1169_1476_1348_1482_1493_1521\"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 11/30/2013 at 20:27:15.88
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:05 PM

Posted 01 December 2013 - 06:58 AM

Hi Depthcharge,

 

No need to wait for me to give you the okay, feel free to run all the scans one after another if you have time to do that.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 Depthcharge

Depthcharge
  • Topic Starter

  • Members
  • 248 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 01 December 2013 - 10:27 PM

I fear I may have screwed the pooch with ADW. After following your instructions, ADW seemed to be frozen. I got the msg, regarding the scan as "Pending. Please uncheck the elements you don't want to remove." After some time, confused, I clicked Clean. The following log is posted below...

 

# AdwCleaner v3.014 - Report created 01/12/2013 at 21:43:57
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : ANDREA - ANDREA-PC
# Running from : C:\Users\ANDREA\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : Level Quality Watcher
[#] Service Deleted : vToolbarUpdater17.0.12

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\TubeDimmer
Folder Deleted : C:\Program Files (x86)\Level Quality Watcher
Folder Deleted : C:\Program Files (x86)\ScorpionSaver
Folder Deleted : C:\Program Files (x86)\Searchprotect
Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Users\ANDREA\AppData\Local\PackageAware
Folder Deleted : C:\Users\Jarbo\AppData\Local\Searchprotect
Folder Deleted : C:\Users\Jarbo\AppData\Roaming\PCFixSpeed
Folder Deleted : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo
Folder Deleted : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjjkeeamkpihpncmmbgdkhdnjpcfmfb
Folder Deleted : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Deleted : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\Extensions\oclgomenfkljhfkfflghppidonpkljjg
File Deleted : C:\Windows\SysWOW64\AdpeakProxy.ini
File Deleted : C:\Windows\SysWOW64\AdpeakProxyOff.ini
File Deleted : C:\Windows\System32\AdpeakProxy.ini
File Deleted : C:\Windows\System32\AdpeakProxyOff.ini

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\aipfmkinhleccnodemkoofnnofpbbpac
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Updater]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\ANDREA\AppData\Roaming\Mozilla\Firefox\Profiles\m9nj5n42.default\prefs.js ]

Line Deleted : user_pref("extensions.dynconff.cache.www.bleepingcomputer.com.content", "<package expire=\"3600\" es=\"914\" pcdids=\"_1520_1674_1164_1524_1146_1169_1476_1348_1482_1493_1521\"><content id=\"MB_P1\">\r[...]

[ File : C:\Users\Jarbo\AppData\Roaming\Mozilla\Firefox\Profiles\oejp7eqs.default\prefs.js ]

Line Deleted : user_pref("extensions.dynconff.cache.www.bleepingcomputer.com.content", "<package expire=\"3600\" es=\"914\" pcdids=\"_1520_1674_1164_1524_1146_1169_1476_1348_1482_1493_1521\"><content id=\"MB_P1\">\r[...]

-\\ Google Chrome v

[ File : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [7685 octets] - [12/10/2013 10:45:46]
AdwCleaner[R1].txt - [3376 octets] - [01/12/2013 21:36:38]
AdwCleaner[S0].txt - [7495 octets] - [12/10/2013 11:00:41]
AdwCleaner[S1].txt - [3373 octets] - [01/12/2013 21:43:57]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3433 octets] ##########
 

thinking I must have done it wrong, I tried again. I have run ADW before, but this was a newer version and again I got the same "Pending" msg. follow up log posted below...

 

# AdwCleaner v3.014 - Report created 01/12/2013 at 22:15:59
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : ANDREA - ANDREA-PC
# Running from : C:\Users\ANDREA\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\TubeDimmer
Folder Deleted : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjjkeeamkpihpncmmbgdkhdnjpcfmfb
Folder Deleted : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\Extensions\oclgomenfkljhfkfflghppidonpkljjg

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Updater]
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\ANDREA\AppData\Roaming\Mozilla\Firefox\Profiles\m9nj5n42.default\prefs.js ]


[ File : C:\Users\Jarbo\AppData\Roaming\Mozilla\Firefox\Profiles\oejp7eqs.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\ANDREA\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [7685 octets] - [12/10/2013 10:45:46]
AdwCleaner[R1].txt - [3376 octets] - [01/12/2013 21:36:38]
AdwCleaner[R2].txt - [1646 octets] - [01/12/2013 21:47:39]
AdwCleaner[R3].txt - [1706 octets] - [01/12/2013 21:48:28]
AdwCleaner[S0].txt - [7495 octets] - [12/10/2013 11:00:41]
AdwCleaner[S1].txt - [3513 octets] - [01/12/2013 21:43:57]
AdwCleaner[S2].txt - [1639 octets] - [01/12/2013 22:15:59]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1699 octets] ##########
 

 

Not sure if it is relevant, but after JRT, email went scrablooey (Comcast). This time I will wait before running TDSSKiller in case I screwed up ADW. Thanks for your patience.



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:05 PM

Posted 02 December 2013 - 11:17 AM

Hi Depthcharge,

 

No, you did perfectly fine. Adwcleaner wasn't frozen, just waiting for action from the user. Please continue with the scans :)

 

When you say:

email went scrablooey (Comcast)

can you expand upon that?

 

xXToffeeXx~


Edited by xXToffeeXx, 02 December 2013 - 11:18 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:05 PM

Posted 20 December 2013 - 12:13 PM

Hi Depthcharge,

 

How are you getting on with the steps I gave you? 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users