Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Desktop Files Just DISAPPEARED, HELP, Did All Possible Solutions


  • This topic is locked This topic is locked
17 replies to this topic

#1 MoRTiZz3

MoRTiZz3

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 18 March 2014 - 02:26 PM

My files randomly disappeared due to possibly malware or registry changes 

 

I did almost all possible solutions..

 

This is the original thread that Boopme was assisting me with, everything is described in the bottom

 

 

When I click Search, I only search the "Shortcuts" which are in the RECENT Folder so that means Physically, the files, folders, and documents DISAPPEARED

 

Pictures speak louder than typed words

https://www.dropbox.com/s/q4deabxj03p56cz/my%20desktop%20post%20apoc.png

https://www.dropbox.com/s/2kpb2ycm2nexloi/users%20app%20data.png?m=

 

How can I recover my Desktop files that used to be here?

 

-------------------------------------------------------------------------------------------------------------------------------------------------------

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16533  BrowserJavaVersion: 10.51.2
Run by Cesar at 13:48:21 on 2014-03-11
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3062.1238 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\WinArchiver\WAService.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\2-click run\CleanMem v2.4.3 (32-bit)\mini_monitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\WinArchiver\WAHELPER.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Simnet\Simple Sticky Notes\ssn.exe
C:\Program Files\ooVoo\ooVoo.exe
C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Users\Cesar\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Cesar\AppData\Local\VNT\vntldr.exe
C:\Windows\System32\Wbem\WmiPrvSE.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Cesar\Desktop\HijackThis.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\System32\Wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Print Clips: {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: SnagIt: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - c:\program files\alwil software\avast5\aswWebRepIE.dll
uRun: [Simple Sticky Notes] c:\program files\simnet\simple sticky notes\ssn.exe
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [Google Update] "c:\users\cesar\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ooVoo] C\ooVoo.exe /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpqSRMon] <no file>
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect"
StartupFolder: c:\users\cesar\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\cesar\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\cesar\appdata\roaming\micros~1\windows\startm~1\programs\startup\facebo~1.lnk - c:\users\cesar\appdata\local\facebook\messenger\2.1.4814.0\FacebookMessenger.exe
StartupFolder: c:\users\cesar\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\users\cesar\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~2.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\SnagIt32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{1C11AE53-28A5-4AC7-BA9F-CD4109D7856C} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{9824B7A7-4AFC-4966-9B70-6B2DB56C9FE6} : DHCPNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\searchprotect\searchprotect\bin\SPVC32Loader.dll
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.146\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cesar\appdata\roaming\mozilla\firefox\profiles\05xhbq56.default\
FF - prefs.js: browser.search.selectedEngine - Conduit Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3321737&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP4A3A5C44-8404-480F-9FE0-F0F3ABA3DAE3&SSPV=
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\users\cesar\appdata\local\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\users\cesar\appdata\local\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\users\cesar\appdata\local\smplugins\npsmlauncher.dll
FF - plugin: c:\users\cesar\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\cesar\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\cesar\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1204144.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_70.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-1-5 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-1-5 180248]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2014-1-5 26136]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-4 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-30 410784]
R1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2014-1-21 299144]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-12-30 67824]
R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2013-6-29 32896]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-4-6 83864]
S3 monectdevices;Monect Hid Device;c:\windows\system32\drivers\monectdevices.sys [2013-12-3 14040]
.
=============== Created Last 30 ================
.
2014-03-11 19:24:45 -------- d-----w- c:\programdata\Package Cache
2014-03-11 18:45:11 -------- d-----w- c:\windows\Migration
2014-03-11 18:34:16 -------- d-----w- c:\users\cesar\appdata\local\APN
2014-03-11 15:07:11 -------- d-----w- c:\programdata\UVK
2014-03-11 14:55:47 -------- d-----w- c:\program files\UVK - Ultra Virus Killer
2014-03-11 09:45:04 -------- d-----w- c:\program files\eSupport.com
2014-03-11 09:37:15 -------- d-----w- c:\users\cesar\appdata\roaming\www.shadowexplorer.com
2014-03-11 09:28:48 -------- d-----w- c:\users\cesar\appdata\roaming\Mythicsoft
2014-03-11 09:27:30 -------- d-----w- c:\program files\Mythicsoft
2014-03-11 09:25:21 7947048 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3b7c143c-5a2a-4293-99b2-03aaf85f9913}\mpengine.dll
2014-03-11 06:02:33 -------- d-----w- c:\windows\system32\catroot2
2014-03-11 05:42:11 -------- d-----w- c:\windows\system32\wbem\repository
2014-03-11 04:44:07 -------- d-----w- C:\RegBackup
2014-03-11 04:09:59 -------- d-----w- c:\program files\Tweaking.com
2014-03-11 03:21:46 -------- d-----w- c:\users\cesar\appdata\roaming\omnitechsupport
2014-03-11 02:54:42 -------- d-----w- c:\users\cesar\appdata\local\LogMeIn Rescue Applet
2014-03-09 13:22:33 -------- d-----w- c:\users\cesar\appdata\local\{8169C97E-79D5-4643-86B7-574FC1681B8C}
2014-03-09 13:09:07 -------- d-----w- c:\users\cesar\appdata\local\Aiseesoft Studio
2014-03-09 13:06:30 -------- d-----w- c:\programdata\Aiseesoft Studio
2014-03-09 13:06:30 -------- d-----w- c:\program files\Aiseesoft Studio
2014-03-09 11:16:54 -------- d-----w- c:\programdata\APN
2014-03-09 06:22:17 -------- d-----w- c:\users\cesar\appdata\local\ElevatedDiagnostics
2014-03-09 03:55:56 -------- d-----w- c:\users\cesar\appdata\local\{3262B45A-A545-43E1-B36D-94280D51AC5A}
2014-03-05 02:50:25 -------- d-----w- c:\users\cesar\appdata\roaming\MPC-HC
2014-03-05 02:48:20 -------- d-----w- c:\program files\MPC-HC
2014-03-04 07:31:54 -------- d-----w- c:\users\cesar\appdata\local\{B51B8578-3BCB-40B5-8B2C-18E18118E1EF}
2014-03-02 16:20:40 -------- d-----w- c:\users\cesar\appdata\local\assembly
2014-03-02 16:15:45 -------- d-----w- c:\users\cesar\appdata\local\TechSmith
2014-03-02 15:38:43 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2014-03-02 09:28:59 -------- d-----w- c:\users\cesar\appdata\local\SwvUpdater
2014-03-02 09:27:40 -------- d-----w- c:\users\cesar\appdata\local\SearchProtect
2014-02-28 14:28:56 -------- d-----w- c:\users\cesar\appdata\roaming\Thinstall
2014-02-28 14:28:56 -------- d-----w- c:\users\cesar\appdata\local\Thinstall
2014-02-28 13:18:15 -------- d-----w- c:\users\cesar\appdata\local\{FD111726-7C1C-4EF7-A5DF-714A9E724E8E}
2014-02-28 01:17:45 -------- d-----w- c:\users\cesar\appdata\local\{033B78F8-94FD-40F9-AB36-4008B900277E}
2014-02-27 11:33:02 -------- d-----w- c:\users\cesar\appdata\roaming\Oxy
2014-02-27 11:10:19 -------- d-----w- c:\users\cesar\appdata\roaming\EasiestSoft
2014-02-27 10:17:26 -------- d-----w- c:\users\cesar\appdata\roaming\Process Hacker 2
2014-02-27 10:11:30 -------- d-----w- c:\program files\Process Hacker 2
2014-02-27 06:40:16 -------- d-----w- c:\users\cesar\appdata\local\{7C598D63-2739-46DF-A25A-B98CF3791733}
2014-02-26 06:09:56 -------- d-----w- c:\program files\Stellar Phoenix Photo Recovery
2014-02-26 06:06:04 -------- d-----w- c:\users\cesar\appdata\roaming\asoftech
2014-02-26 06:06:03 -------- d-----w- c:\program files\Asoftech
2014-02-26 06:05:42 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\ctor.dll
2014-02-26 06:05:42 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iscript.dll
2014-02-26 06:05:42 151552 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iuser.dll
2014-02-26 06:05:41 634880 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iKernel.dll
2014-02-26 06:05:41 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\DotNetInstaller.exe
2014-02-26 06:05:40 270468 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\Setup.dll
2014-02-26 06:05:40 159876 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\IGdi.dll
2014-02-24 08:25:27 -------- d-----w- c:\windows\ERUNT
2014-02-24 04:17:31 274432 ----a-w- c:\windows\system32\ssleay32.dll
2014-02-24 04:17:30 81920 ----a-w- c:\windows\eSellerateControl350.dll
2014-02-24 04:17:30 356352 ----a-w- c:\windows\eSellerateEngine.dll
2014-02-24 04:17:30 1122304 ----a-w- c:\windows\system32\libeay32.dll
2014-02-24 04:17:28 -------- d-----w- c:\program files\Get Savin Removal Tool
2014-02-19 06:43:16 -------- d-----w- c:\program files\SecurityXploded
2014-02-18 23:24:28 -------- d-----w- c:\users\cesar\appdata\local\{536780E7-AB7C-4696-815D-ABE25430F5C5}
2014-02-18 09:52:32 -------- d-----w- c:\program files\ZIP RAR ACE Password Recovery
2014-02-18 09:51:10 -------- d-----w- c:\users\cesar\appdata\roaming\ZIP RAR ACE Password Recovery
2014-02-18 06:24:50 -------- d-----w- c:\program files\Intelore
2014-02-18 04:27:46 58264 ----a-w- c:\windows\ExentInfo.exe
2014-02-18 04:27:43 -------- d-----w- c:\program files\Hoopla
2014-02-17 00:42:50 -------- d-----w- c:\users\cesar\appdata\roaming\WM Recorder
2014-02-17 00:42:47 -------- d-----w- c:\users\cesar\appdata\local\WM Recorder
2014-02-17 00:40:31 -------- d-----w- c:\users\cesar\appdata\roaming\WM Capture 7
2014-02-16 23:49:21 -------- d-----w- c:\program files\Weeny Free Video Recorder
2014-02-16 02:30:26 -------- d-----w- c:\users\cesar\appdata\local\{DEE1F4AF-E5F4-456C-B670-AEAFA8AFAB87}
2014-02-16 01:50:11 -------- d-----w- c:\program files\RealNetworks
2014-02-16 01:50:04 -------- d-----w- c:\programdata\RealNetworks
2014-02-16 01:49:32 -------- d-----w- c:\program files\common files\xing shared
2014-02-16 01:49:24 153736 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2014-02-16 01:49:18 124504 ----a-w- c:\program files\mozilla firefox\plugins\nprpplugin.dll
2014-02-16 01:21:27 -------- d-----w- c:\programdata\FileLab
2014-02-15 14:29:26 -------- d-----w- c:\users\cesar\appdata\local\{47237C98-6DDC-43AC-BEE0-95AC7FF34AB1}
2014-02-15 02:29:02 -------- d-----w- c:\users\cesar\appdata\local\{616161A8-37CC-4A72-9C84-B7338A4923DD}
2014-02-15 02:29:01 -------- d-----w- c:\users\cesar\appdata\local\{7BAFAC1D-F1D5-4DED-B9F1-59FDDCC55F5A}
2014-02-12 06:51:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-02-11 21:01:32 1248768 ----a-w- c:\windows\system32\msxml3.dll
2014-02-11 10:02:27 -------- d-----w- c:\users\cesar\appdata\local\{94170537-669F-4656-A218-019010BBCF08}
2014-02-11 09:49:32 -------- d-----w- c:\windows\en
2014-02-11 09:46:35 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2014-02-11 09:43:29 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2014-02-11 09:43:29 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2014-02-11 09:43:28 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2014-02-11 09:41:41 1132448 ----a-w- c:\windows\system32\d3dx9_32.dll
2014-02-11 09:40:26 89944 ----a-w- c:\program files\common files\windows live\.cache\48a0b7001cf270d07\DSETUP.dll
2014-02-11 09:40:26 537432 ----a-w- c:\program files\common files\windows live\.cache\48a0b7001cf270d07\DXSETUP.exe
2014-02-11 09:40:26 1801048 ----a-w- c:\program files\common files\windows live\.cache\48a0b7001cf270d07\dsetup32.dll
2014-02-11 09:40:20 525656 ----a-w- c:\program files\common files\windows live\.cache\412791601cf270d06\DXSETUP.exe
2014-02-11 09:40:19 94040 ----a-w- c:\program files\common files\windows live\.cache\412791601cf270d06\DSETUP.dll
2014-02-11 09:40:19 1691480 ----a-w- c:\program files\common files\windows live\.cache\412791601cf270d06\dsetup32.dll
2014-02-11 09:39:19 -------- d-----w- c:\users\cesar\appdata\local\Windows Live
2014-02-11 09:39:15 -------- d-----w- c:\program files\common files\Windows Live
2014-02-11 08:54:51 -------- d-----w- c:\users\cesar\appdata\local\WMTools Downloaded Files
2014-02-11 08:46:33 -------- d-----w- c:\program files\Movie Maker 2.6
2014-02-11 07:44:25 -------- d-----w- c:\programdata\Movavi Video Suite 12
2014-02-11 07:33:22 -------- d-----w- c:\users\cesar\.fontconfig
2014-02-11 07:31:38 -------- d-----w- c:\users\cesar\appdata\local\Movavi
2014-02-11 07:14:31 -------- d-----w- c:\programdata\Movavi
2014-02-11 07:02:35 -------- d-----w- C:\2-click run
.
==================== Find3M  ====================
.
2014-03-11 20:50:34 104960 ----a-w- C:\kgloqpow.sys
2014-03-11 20:31:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-11 20:31:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-18 04:44:18 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-02-18 04:44:17 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-02-18 04:44:14 43152 ----a-w- c:\windows\avastSS.scr
2014-02-16 01:49:04 499712 ----a-w- c:\windows\system32\msvcp71.dll
2014-02-16 01:49:04 348160 ----a-w- c:\windows\system32\msvcr71.dll
2014-02-05 08:56:17 1806848 ----a-w- c:\windows\system32\jscript9.dll
2014-02-05 08:50:39 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-02-05 08:49:56 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-02-05 08:48:40 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-02-05 08:48:27 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-01-07 08:09:05 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-01-07 08:09:04 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-01-07 08:07:28 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2014-01-05 10:35:36 319456 ----a-w- c:\windows\DIFxAPI.dll
2013-12-19 05:10:01 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-12-18 14:13:56 231584 ----a-w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 13:51:40.60 ===============

Attached Files


Edited by MoRTiZz3, 18 March 2014 - 02:43 PM.


BC AdBot (Login to Remove)

 


#2 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 22 March 2014 - 10:09 PM

Hello please, can anyone help me?



#3 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 23 March 2014 - 01:56 AM

Hello MoRTiZz3,

 

Your DDS log is fairly clean, only some minor adware remaining it seems. I have a feeling the adware is back due to the System Restore you performed after running some of the cleanup tools. I noticed AdwCleaner deleted some of those items that are present once again. I want to address your concerns though since you asked, but in the meantime, please do not run System Restore again unless asked to do so. :)

 

To answer your question in this picture you linked: https://www.dropbox.com/s/2kpb2ycm2nexloi/users%20app%20data.png

 

All the files here are shortcuts, but not .lnk files. The "Name" you are seeing here is the actual name of the files, or folders that should open if you were to double-click said entry. The Recents folder only shows what files, folders, pictures, movies, documents, etc..  have been recently opened. This folder does not have anything to do with which files are still on the systemIt is only showing what was launched/executed/opened by the user, you, recently.

 

I'll give you an example as your ESET log reveals what happened to one of the items in the picture.

 

In the case of the "FacebookPassword..."? folder that is seen in the screenshot, ESET has removed a file that was inside of this folder.

 

Excerpt of ESET log:

 

 

C:\Program Files\SecurityXploded\FacebookPasswordDecryptor\FacebookPasswordDecryptor.exe    a variant of Win32/SecurityXploded.A potentially unsafe application    deleted - quarantined

 

So, while the shortcut to the folder still exists (as a recently opened folder), the file(s) inside the FacebookPasswordDecryptor folder may no longer exist (ESET deleted it).

 

This is just an example though. The shortcuts could either be broken or valid. Valid shortcuts will lead you to a location of where the shortcut was pointing to (file path / folder path). Broken shortcuts won't lead you anywhere and typically a message similar to the below will appear prompting you to erase the broken shortcut.

 

Attached File  scmissing.jpg   21.21KB   0 downloads

 

In conclusion though, do not worry too much about the the Recent folder. If you would like to tidy up your computer a bit and erase the history of what was recently opened, you can either manually delete all those shortcuts in the folder (by highlighting them and pressing Delete), or, install a program to automatic the process for you. e.g. CCleaner.

 

Is this making any sense? Do I need to explain further? What questions or concerns do you still have?


Edited by thisisu, 23 March 2014 - 02:11 AM.


#4 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 24 March 2014 - 10:06 PM

Okay I understand, First of all, I want to thank you for replying and taking the time to understand my problem

 

So I guess that concludes that all of the files that are in RECENT, are just shortcuts 

 

However, I still can't understand how my Files/Documents in my Desktop just suddenly disappeared

 

and if there's still a way of recovering them..



#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 24 March 2014 - 10:12 PM

Okay I understand, First of all, I want to thank you for replying and taking the time to understand my problem

 

So I guess that concludes that all of the files that are in RECENT, are just shortcuts 

 

However, I still can't understand how my Files/Documents in my Desktop just suddenly disappeared

 

and if there's still a way of recovering them..

 

You're welcome. Which files are you referring to that you say are missing? Can you provide me file names of what you are looking for that you say is missing?



#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 24 March 2014 - 10:24 PM

I have a better idea :)

 

 

generalxpicon.gif  Download SystemLook from one of the links below and save it to your desktop.
 
 
  • Double-click SystemLook.exe to run it.
  • Copy and Paste the content of the following code box into the main text-field:
:dir
C:\Users\Cesar\Desktop
 
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
  • Attach that file to your next message.
 


#7 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 24 March 2014 - 10:56 PM

Well to be honest, most of the files that I was looking for were in the "RECENT" picture that I showed you but those are only a few of the many Desktop Files that disappeared and really what I was looking for
 
Sure, I'm always open to any of your ideas and I'm willing to hear from you as long as we do to fix this 100% best to fix this problem
 
And please don't judge me regarding of what files you see, or anything you might be assuming.. In fact, I take full care and responsibility of my computer and my activities and this might help us fix the problem too.. As you probably know, I downloaded a file from Pbay of a video editor software, ran the program Crack file, then Files just Disappeared suddenly. I'm an open book so now you know the problem now..
 
Now onward to us fixing this together :)
--------------------------------------------------------------------------------------------------------------------------------------
 
SystemLook 30.07.11 by jpshortstuff
Log created at 20:53 on 24/03/2014 by Cesar
Administrator - Elevation successful
 
========== dir ==========
 
C:\Users\Cesar\Desktop - Parameters: "(none)"
 
---Files---
1958161_1407687239487142_767606756_n.jpg --a---- 21017 bytes [19:44 19/03/2014] [20:33 19/03/2014]
1964867_204578483085939_526647999_n.jpg --a---- 89096 bytes [15:16 09/03/2014] [15:16 09/03/2014]
365 topics to make videos STEP UP.docx --a---- 73663 bytes [05:54 02/03/2014] [05:57 02/03/2014]
ac.exe --a---- 3307651 bytes [15:07 15/03/2014] [15:07 15/03/2014]
AdwCleaner[S2].txt --a---- 3285 bytes [18:46 17/03/2014] [23:53 17/03/2014]
Any Video Converter Ultimate.lnk --a---- 1037 bytes [02:01 16/02/2014] [02:01 16/02/2014]
attach.txt --a---- 6525 bytes [20:52 11/03/2014] [20:52 11/03/2014]
creative-brochure-design_ws_13393249928.jpg --a---- 68688 bytes [00:56 21/03/2014] [00:56 21/03/2014]
dds.txt --a---- 25120 bytes [20:52 11/03/2014] [20:51 11/03/2014]
desktop.ini ---hs-- 282 bytes [18:58 29/12/2011] [18:58 29/12/2011]
ESET log.txt --a---- 13252 bytes [23:42 17/03/2014] [23:42 17/03/2014]
HitLeap Viewer.lnk --a---- 2571 bytes [10:20 14/03/2014] [18:34 23/03/2014]
Home2.PNG --a---- 1549984 bytes [23:10 24/03/2014] [23:10 24/03/2014]
HP Scan.lnk --a---- 1076 bytes [17:56 30/07/2012] [17:56 30/07/2012]
JRT.txt --a---- 2252 bytes [19:05 17/03/2014] [19:05 17/03/2014]
logo5.jpg --a---- 34721 bytes [23:10 24/03/2014] [23:10 24/03/2014]
Michael Ricasio Resume.docx --a---- 15069 bytes [02:35 20/03/2014] [02:35 20/03/2014]
My Video Template.txt --a---- 1114 bytes [20:45 19/03/2014] [01:34 23/03/2014]
Process Hacker 2.lnk --a---- 1793 bytes [10:11 27/02/2014] [10:11 27/02/2014]
Result (Minitoolbox).txt --a---- 26472 bytes [18:09 17/03/2014] [18:10 17/03/2014]
Search.txt --a---- 231 bytes [03:05 23/03/2014] [03:28 23/03/2014]
SysInfo.exe --a---- 509440 bytes [22:09 11/03/2014] [22:09 11/03/2014]
SystemLook.exe --a---- 139264 bytes [03:52 25/03/2014] [03:52 25/03/2014]
SystemLook.txt --a---- 0 bytes [03:53 25/03/2014] [03:53 25/03/2014]
TDSSKiller_xxxx_log.txt --a---- 187093 bytes [18:23 17/03/2014] [18:23 17/03/2014]
The Total Take Over Youtube Assistant.exe - Shortcut.lnk --a---- 1041 bytes [10:52 17/02/2014] [10:52 17/02/2014]
Tor Websites.txt --a---- 45324 bytes [00:09 19/03/2014] [00:09 19/03/2014]
truebots_list_of_emails.txt --a---- 45096 bytes [00:48 19/03/2014] [00:48 19/03/2014]
Windows Live Movie Maker.lnk --a---- 1118 bytes [10:01 11/02/2014] [10:01 11/02/2014]
Youtube Competitor Analysis.exe - Shortcut.lnk --a---- 984 bytes [10:52 17/02/2014] [10:52 17/02/2014]
youtube rank cherkc.txt --a---- 133 bytes [00:21 17/03/2014] [00:21 17/03/2014]
~$5 topics to make videos STEP UP.docx --a---- 162 bytes [02:14 11/03/2014] [02:14 11/03/2014]
 
---Folders---
###ALL OF MY TOOLS d------ [12:35 30/01/2014]
#365 Chronicles Of A New Online Marketer d------ [07:50 04/01/2014]
100 ebooks about make money online d------ [02:43 14/03/2014]
Dropbox dr----- [05:56 05/10/2013]
fb_hacker d------ [08:32 14/03/2014]
FREE VALUE d------ [12:51 08/02/2014]
Google Business Scraper d------ [11:58 30/01/2014]
Habers d------ [20:42 18/03/2014]
lnkfix_vista d------ [09:51 11/03/2014]
Michael Pictures of Me d------ [06:54 02/01/2013]
Microsoft Office 2010 d------ [07:06 06/01/2014]
Primerica Business d------ [07:24 14/11/2012]
Project Neptune v2.0 Cracke3d d------ [18:16 20/03/2014]
ProxyGrabber d------ [21:30 14/03/2014]
Tube Optimizer Wizard.6467 d------ [20:49 24/03/2014]
Winrar Password Remover d------ [08:25 18/02/2014]
WinRAR Password Remover v 2.0 d------ [06:21 18/02/2014]
 
-= EOF =-

Edited by MoRTiZz3, 24 March 2014 - 11:02 PM.


#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 24 March 2014 - 11:19 PM

Well, the files and folders you see above are what are currently on your desktop. Let's start checking for malware since that is why we are here.

 

 

Click Start button -> Control Panel -> View by: Small Icons -> Programs and Features

From this list, uninstall the following software:

 

  • Java™ 6 Update 30
  • Java™ 6 Update 2
  • Oovoo Toolbar
  • SavingsBull
  • VideoToolkit01

__

 

 

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

 

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


#9 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 25 March 2014 - 07:21 PM

Everything is going well, in fact, everything is actually working even before and after the files disappeared

 

But after the Combofix, it still hasn't recovered the files that were in my Desktop

 

Do you think that it truly disappeared? What other last option places can we find it? 

 

------------------------------------------------------------------------------------------------------------------------------------------------------------

 

ComboFix 14-03-24.01 - Cesar 03/25/2014  12:14:30.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3062.1654 [GMT -7:00]
Running from: c:\users\Cesar\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Cesar\AppData\Local\assembly\tmp
c:\users\Cesar\AppData\Roaming\dclogs
c:\users\Cesar\AppData\Roaming\dclogs\2014-03-20-5.dc
c:\users\Cesar\AppData\Roaming\dclogs\2014-03-21-6.dc
c:\users\Cesar\AppData\Roaming\dclogs\2014-03-22-7.dc
c:\users\Cesar\AppData\Roaming\dclogs\2014-03-23-1.dc
c:\users\Cesar\AppData\Roaming\dclogs\2014-03-24-2.dc
c:\users\Cesar\AppData\Roaming\dclogs\2014-03-25-3.dc
c:\users\Cesar\AppData\Roaming\FB Auto Marketer.exe
c:\users\Cesar\AppData\Roaming\iexplorer.exe
c:\users\Cesar\AppData\Roaming\Microsoft\Windows\Recent\Facebook_Groups_Auto_Poster.url
c:\users\Cesar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - .lnk
c:\users\Cesar\Documents\~WRL0749.tmp
c:\users\Cesar\Documents\~WRL4043.tmp
c:\windows\system32\KBL.LOG
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-25 to 2014-03-25  )))))))))))))))))))))))))))))))
.
.
2014-03-25 19:35 . 2014-03-25 19:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-25 19:24 . 2014-03-25 19:24 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CC71A16-D4D8-4F91-8E35-4D80A80953A8}\offreg.dll
2014-03-25 18:49 . 2014-03-07 04:35 7969936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CC71A16-D4D8-4F91-8E35-4D80A80953A8}\mpengine.dll
2014-03-23 19:33 . 2014-03-25 19:07 -------- d-----w- c:\users\Cesar\AppData\Roaming\Liuliangbao
2014-03-23 02:59 . 2014-03-23 03:33 -------- d-----w- C:\FRST
2014-03-21 12:59 . 2014-03-21 12:59 -------- d-----w- c:\users\Cesar\AppData\Local\Apps
2014-03-21 12:59 . 2014-03-21 12:59 -------- d-----w- c:\users\Cesar\AppData\Local\Deployment
2014-03-20 21:08 . 2014-03-20 21:08 -------- d-----w- c:\users\Cesar\AppData\Local\SkinSoft
2014-03-20 18:31 . 2014-03-20 18:31 -------- d--h--w- c:\windows\PIF
2014-03-20 17:36 . 2014-03-21 01:47 -------- d-----w- c:\users\Cesar\AppData\Local\Neptune
2014-03-19 19:40 . 2014-03-19 19:40 -------- d-----w- c:\users\Cesar\AppData\Roaming\Thinstall
2014-03-19 19:40 . 2014-03-19 19:40 -------- d-----w- c:\users\Cesar\AppData\Local\Thinstall
2014-03-19 13:10 . 2013-02-22 07:17 181784 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2014-03-19 13:01 . 2013-02-22 07:17 83864 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2014-03-18 20:14 . 2014-03-18 20:15 -------- d-----w- c:\program files\Recuva
2014-03-16 07:50 . 2014-03-16 07:50 -------- d-----w- c:\program files\ElcomSoft
2014-03-15 21:41 . 2014-03-15 21:41 -------- d-----w- c:\users\Cesar\AppData\Local\Logitech® Webcam Software
2014-03-15 21:21 . 2014-03-15 21:21 -------- d-----w- c:\users\Cesar\AppData\Local\xGramBot
2014-03-15 21:14 . 2014-03-15 21:14 -------- d-----w- c:\users\Cesar\AppData\Local\NinjaGram
2014-03-15 21:14 . 2014-03-15 21:22 -------- d-----w- c:\programdata\NinjaGram
2014-03-15 21:14 . 2014-03-15 21:14 -------- d-----w- c:\programdata\Gibraltar
2014-03-15 20:51 . 2014-03-15 20:51 -------- d-----w- c:\users\Cesar\AppData\Local\Skype
2014-03-15 20:51 . 2014-03-15 20:51 -------- d-----w- c:\program files\Common Files\Skype
2014-03-15 19:06 . 2014-03-15 19:06 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-03-15 18:51 . 2014-03-15 18:51 -------- d-----w- c:\programdata\LogiShrd
2014-03-15 18:50 . 2014-03-16 10:20 -------- d-----w- c:\users\Cesar\AppData\Local\LogiShrd
2014-03-15 14:35 . 2014-03-15 14:35 -------- d-----w- c:\users\Cesar\AppData\Roaming\Leadertech
2014-03-15 14:35 . 2014-03-15 14:35 53248 ----a-r- c:\users\Cesar\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2014-03-15 14:32 . 2014-03-15 14:32 -------- d-----w- c:\programdata\Logitech
2014-03-15 14:32 . 2014-03-15 14:32 -------- d-----w- c:\program files\Common Files\LWS
2014-03-15 14:31 . 2014-03-16 10:20 -------- d-----w- c:\program files\Logitech
2014-03-15 14:31 . 2014-03-15 20:25 -------- d-----w- c:\program files\Common Files\LogiShrd
2014-03-14 14:57 . 2014-03-14 14:57 -------- d-----w- c:\users\Cesar\AppData\Local\Email_Account_Creator_Ext
2014-03-14 10:19 . 2014-03-14 10:19 -------- d-----w- c:\program files\HitLeap
2014-03-13 01:24 . 2014-02-07 10:38 2050560 ----a-w- c:\windows\system32\win32k.sys
2014-03-13 01:24 . 2014-02-03 10:37 505344 ----a-w- c:\windows\system32\qedit.dll
2014-03-13 01:24 . 2014-01-30 07:46 876032 ----a-w- c:\windows\system32\wer.dll
2014-03-13 01:24 . 2013-11-13 00:30 2048 ----a-w- c:\windows\system32\tzres.dll
2014-03-12 08:02 . 2014-03-12 08:08 -------- d-----w- c:\users\Cesar\AppData\Roaming\File Property Edit
2014-03-11 20:50 . 2014-03-11 20:50 104960 ----a-w- C:\kgloqpow.sys
2014-03-11 19:24 . 2014-03-11 19:24 -------- d-----w- c:\programdata\Package Cache
2014-03-11 18:45 . 2014-03-11 18:45 -------- d-----w- c:\windows\Migration
2014-03-11 15:07 . 2014-03-11 17:28 -------- d-----w- c:\programdata\UVK
2014-03-11 14:55 . 2014-03-23 02:40 -------- d-----w- c:\program files\UVK - Ultra Virus Killer
2014-03-11 09:37 . 2014-03-11 09:37 -------- d-----w- c:\users\Cesar\AppData\Roaming\www.shadowexplorer.com
2014-03-11 09:28 . 2014-03-11 09:28 -------- d-----w- c:\users\Cesar\AppData\Roaming\Mythicsoft
2014-03-11 09:27 . 2014-03-11 09:27 -------- d-----w- c:\program files\Mythicsoft
2014-03-11 06:02 . 2014-03-21 21:05 -------- d-----w- c:\windows\system32\catroot2
2014-03-11 05:42 . 2014-03-25 19:38 -------- d-----w- c:\windows\system32\wbem\repository
2014-03-11 04:57 . 2014-03-11 06:05 181064 ----a-w- c:\windows\PSEXESVC.EXE
2014-03-11 04:44 . 2014-03-11 04:44 -------- d-----w- C:\RegBackup
2014-03-11 04:09 . 2014-03-11 04:09 -------- d-----w- c:\program files\Tweaking.com
2014-03-11 03:21 . 2014-03-11 06:57 -------- d-----w- c:\users\Cesar\AppData\Roaming\omnitechsupport
2014-03-11 02:54 . 2014-03-11 04:07 -------- d-----w- c:\users\Cesar\AppData\Local\LogMeIn Rescue Applet
2014-03-09 13:09 . 2014-03-09 13:09 -------- d-----w- c:\users\Cesar\AppData\Local\Aiseesoft Studio
2014-03-09 13:06 . 2014-03-09 13:06 -------- d-----w- c:\programdata\Aiseesoft Studio
2014-03-09 13:06 . 2014-03-09 13:06 -------- d-----w- c:\program files\Aiseesoft Studio
2014-03-09 06:22 . 2014-03-09 06:22 -------- d-----w- c:\users\Cesar\AppData\Local\ElevatedDiagnostics
2014-03-05 02:50 . 2014-03-05 02:50 -------- d-----w- c:\users\Cesar\AppData\Roaming\MPC-HC
2014-03-05 02:48 . 2014-03-12 10:54 -------- d-----w- c:\program files\MPC-HC
2014-03-02 16:39 . 2014-03-02 16:39 -------- d-----w- c:\program files\TechSmith
2014-03-02 16:20 . 2014-03-25 19:33 -------- d-----w- c:\users\Cesar\AppData\Local\assembly
2014-03-02 16:15 . 2014-03-02 16:40 -------- d-----w- c:\programdata\TechSmith
2014-03-02 16:15 . 2014-03-02 16:15 -------- d-----w- c:\users\Cesar\AppData\Local\TechSmith
2014-03-02 15:38 . 2014-03-09 12:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2014-02-27 11:10 . 2014-02-27 11:10 -------- d-----w- c:\users\Cesar\AppData\Roaming\EasiestSoft
2014-02-27 10:17 . 2014-02-27 10:17 -------- d-----w- c:\users\Cesar\AppData\Roaming\Process Hacker 2
2014-02-27 10:11 . 2014-02-27 10:11 -------- d-----w- c:\program files\Process Hacker 2
2014-02-26 06:09 . 2014-02-26 06:10 -------- d-----w- c:\program files\Stellar Phoenix Photo Recovery
2014-02-26 06:06 . 2014-02-26 06:06 -------- d-----w- c:\users\Cesar\AppData\Roaming\asoftech
2014-02-26 06:06 . 2014-02-26 06:06 -------- d-----w- c:\program files\Asoftech
2014-02-26 06:05 . 2002-08-05 18:46 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll
2014-02-26 06:05 . 2002-08-02 10:20 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iscript.dll
2014-02-26 06:05 . 2002-08-02 10:20 151552 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iuser.dll
2014-02-26 06:05 . 2002-08-02 11:10 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\DotNetInstaller.exe
2014-02-26 06:05 . 2002-08-02 10:20 634880 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKernel.dll
2014-02-26 06:05 . 2014-02-26 06:05 270468 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll
2014-02-26 06:05 . 2014-02-26 06:05 159876 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\IGdi.dll
2014-02-24 08:25 . 2014-02-24 08:25 -------- d-----w- c:\windows\ERUNT
2014-02-24 04:17 . 2013-11-05 22:38 274432 ----a-w- c:\windows\system32\ssleay32.dll
2014-02-24 04:17 . 2013-11-05 22:38 1122304 ----a-w- c:\windows\system32\libeay32.dll
2014-02-24 04:17 . 2012-12-10 19:04 81920 ----a-w- c:\windows\eSellerateControl350.dll
2014-02-24 04:17 . 2012-12-10 19:04 356352 ----a-w- c:\windows\eSellerateEngine.dll
2014-02-24 04:17 . 2014-02-26 21:40 -------- d-----w- c:\program files\Get Savin Removal Tool
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 20:31 . 2012-04-09 04:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-11 20:31 . 2012-02-03 08:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-18 04:44 . 2012-02-05 00:08 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-02-18 04:44 . 2011-12-30 22:28 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-02-18 04:44 . 2011-12-30 22:28 410784 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-02-18 04:44 . 2011-12-30 22:28 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-02-18 04:44 . 2011-12-30 22:28 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-02-18 04:44 . 2011-12-30 22:27 43152 ----a-w- c:\windows\avastSS.scr
2014-02-18 04:44 . 2011-12-30 22:27 270240 ----a-w- c:\windows\system32\aswBoot.exe
2014-02-16 01:49 . 2003-03-19 01:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2014-02-16 01:49 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2014-02-11 09:44 . 2011-03-29 02:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-01-07 08:09 . 2014-01-06 06:53 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-01-07 08:09 . 2014-01-06 06:53 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-01-07 08:07 . 2014-01-06 06:53 26136 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2014-01-05 10:35 . 2008-04-21 21:08 319456 ----a-w- c:\windows\DIFxAPI.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-02-18 04:44 259464 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\Cesar\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\Cesar\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\Cesar\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\Cesar\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2012-11-10 18:55 158056 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"???"="c:\users\Cesar\AppData\Roaming\Liuliangbao\Á÷Á¿°æ.exe" [?]
"Simple Sticky Notes"="c:\program files\Simnet\Simple Sticky Notes\ssn.exe" [2014-02-12 565616]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2013-12-19 36125760]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Á÷Á¿±¦"="c:\users\Cesar\AppData\Roaming\Liuliangbao\Á÷Á¿°æ.exe" [2013-10-09 1064472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-14 2299176]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2013-03-28 310640]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-01-30 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"WAHELPER.EXE"="c:\program files\WinArchiver\WAHELPER.EXE" [2013-06-18 480792]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2014-02-18 3767096]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2014-02-16 295512]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
c:\users\Cesar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cesar\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-2 30714328]
Logitech . Product Registration.lnk - c:\program files\Logitech\Ereg\eReg.exe /remind /language=ENU /_WFM="." [2009-11-16 517384]
Monitor Ink Alerts - HP Officejet 4620 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Officejet 4620 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN23T120Y705RT;CONNECTION=USB;MONITOR=1; [2006-11-2 44544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 9.lnk - c:\program files\TechSmith\SnagIt 9\SnagIt32.exe [2008-9-22 6825288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2830448384-1970843543-2416241607-1000]
"EnableNotificationsRef"=dword:00000003
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FSUSBEXDISK
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 14:39 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 20:31]
.
2014-03-25 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2830448384-1970843543-2416241607-1000.job
- c:\program files\Citrix\GoToMeeting\1350\g2mupdate.exe [2014-03-23 23:51]
.
2014-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-27 16:14]
.
2014-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-27 16:14]
.
2014-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2830448384-1970843543-2416241607-1000Core.job
- c:\users\Cesar\AppData\Local\Google\Update\GoogleUpdate.exe [2014-01-18 02:04]
.
2014-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2830448384-1970843543-2416241607-1000UA.job
- c:\users\Cesar\AppData\Local\Google\Update\GoogleUpdate.exe [2014-01-18 02:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Cesar\AppData\Roaming\Mozilla\Firefox\Profiles\xhngpfe8.default-1394794244215\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-ooVoo - C\ooVoo.exe
HKLM-Run-hpqSRMon - (no file)
c:\users\Cesar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk - c:\users\Cesar\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-eSupport UndeletePlus_is1 - c:\program files\eSupport.com\eSupport UndeletePlus\unins000.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-25 13:02
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
C:\avast! sandbox
c:\users\Cesar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk 1105 bytes
c:\users\Cesar\AppData\Roaming\LiuliangbaoEx\Temporary Internet Files\Content.IE5\36L7GOQM\m[1].htm
c:\users\Cesar\AppData\Roaming\LiuliangbaoEx\Temporary Internet Files\Content.IE5\QLCPI357\0014412754[1].htm
.
scan completed successfully
hidden files: 4
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5080)
c:\windows\system32\CbFsMntNtf3.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WinArchiver\WAService.exe
c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehsched.exe
c:\windows\system32\FsUsbExService.Exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\locator.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\TeamViewer\Version8\TeamViewer_Service.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\2-click run\CleanMem v2.4.3 (32-bit)\mini_monitor.exe
c:\windows\system32\igfxsrvc.exe
c:\users\Cesar\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\windows\system32\RunDll32.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\TechSmith\SnagIt 9\TSCHelp.exe
c:\program files\TechSmith\SnagIt 9\SnagPriv.exe
c:\program files\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
c:\program files\TechSmith\SnagIt 9\snagiteditor.exe
c:\users\Cesar\AppData\Roaming\Liuliangbao\liuliangbao.exe
c:\users\Cesar\AppData\Roaming\Liuliangbao\liuliangbao.exe
c:\users\Cesar\AppData\Roaming\Liuliangbao\liuliangbao.exe
c:\users\Cesar\AppData\Roaming\Liuliangbao\liuliangbao.exe
c:\users\Cesar\AppData\Roaming\Liuliangbao\liuliangbao.exe
.
**************************************************************************
.
Completion time: 2014-03-25  13:09:49 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-25 20:09
.
Pre-Run: 47,811,604,480 bytes free
Post-Run: 47,858,720,768 bytes free
.
- - End Of File - - 944CAF3A1C033FCF0CDBA38245F64694
1A1A06F62E891045814007163C1C76C3


#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 26 March 2014 - 01:09 AM

Do you think that it truly disappeared? What other last option places can we find it? 

 

 

Files don't just disappear. They were either removed or moved some place else. I'll try to help you find them. We should continue to remove malware though.

 

I assume you still have ComboFix on your system. If not, please download Combofix from one of the following locations:

Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is: (DON'T include the 'Quote:')
 
 

KillAll::

Folder::
C:\Users\Cesar\appdata\local\{033B78F8-94FD-40F9-AB36-4008B900277E}
C:\Users\Cesar\appdata\local\{3262B45A-A545-43E1-B36D-94280D51AC5A}
C:\Users\Cesar\appdata\local\{47237C98-6DDC-43AC-BEE0-95AC7FF34AB1}
C:\Users\Cesar\appdata\local\{536780E7-AB7C-4696-815D-ABE25430F5C5}
C:\Users\Cesar\appdata\local\{616161A8-37CC-4A72-9C84-B7338A4923DD}
C:\Users\Cesar\appdata\local\{7BAFAC1D-F1D5-4DED-B9F1-59FDDCC55F5A}
C:\Users\Cesar\appdata\local\{7C598D63-2739-46DF-A25A-B98CF3791733}
C:\Users\Cesar\appdata\local\{8169C97E-79D5-4643-86B7-574FC1681B8C}
C:\Users\Cesar\appdata\local\{94170537-669F-4656-A218-019010BBCF08}
C:\Users\Cesar\appdata\local\{B51B8578-3BCB-40B5-8B2C-18E18118E1EF}
C:\Users\Cesar\appdata\local\{DEE1F4AF-E5F4-456C-B670-AEAFA8AFAB87}
C:\Users\Cesar\appdata\local\{FD111726-7C1C-4EF7-A5DF-714A9E724E8E}
C:\ProgramData\apn
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eSupport.com
C:\Program Files\eSupport.com
C:\Windows\Installer\{6DDE8071-E4BA-461B-8A96-990DFAA0EBD1}
C:\Users\Cesar\AppData\Local\apn
C:\Users\Cesar\AppData\Local\SwvUpdater
C:\Users\Cesar\AppData\Roaming\Oxy
c:\users\cesar\appdata\roaming\Thinstall
c:\users\cesar\appdata\local\Thinstall
c:\users\cesar\appdata\local\SearchProtect
c:\users\cesar\appdata\local\SwvUpdater
c:\program files\Get Savin Removal Tool
c:\users\Cesar\AppData\Roaming\Liuliangbao

File::
C:\Users\Cesar\AppData\Roaming\Mozilla\Firefox\Profiles\xhngpfe8.default-1394794244215\searchplugins\conduit-search.xml
C:\kgloqpow.sys

NoMBR::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BHO.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}]
[-HKEY_CURRENT_USER\Software\Escolade]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DDE8071-E4BA-461B-8A96-990DFAA0EBD1}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD04033484A18CA4CAB3EE59D39D756E]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1708EDD6AB4EB164A86999D0AF0ABE1D]
[-HKEY_LOCAL_MACHINE\Software\Classes\Installer\Features\1708EDD6AB4EB164A86999D0AF0ABE1D]
[-HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1708EDD6AB4EB164A86999D0AF0ABE1D]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"=-

DirLook::
c:\users\cesar\appdata\local\TechSmith
c:\users\Cesar\AppData\Local\Neptune

FileLook::
c:\windows\system32\CbFsMntNtf3.dll

ClearJavaCache::

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please include theC:\ComboFix.txt in your next reply. 



#11 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 26 March 2014 - 07:18 PM

Hello Here's the Combo Fix Log

 

Desktop is still the same

Attached Files


Edited by MoRTiZz3, 26 March 2014 - 10:06 PM.


#12 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 27 March 2014 - 12:14 AM

Please download Farbar Recovery Scan Tool and save it to your Desktop.

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#13 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 29 March 2014 - 07:15 PM

It says the version of this file is not compatible, check if your system accepts it

 

Even though mine is Windows Vista



#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:11 PM

Posted 29 March 2014 - 09:04 PM

Try this one: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/



#15 MoRTiZz3

MoRTiZz3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 01 April 2014 - 10:14 AM

I tried that tool as well

And it didn't work in finding the files that were lost

I did almost all possible solutions

Are my files truly gone?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users