Windows Recovery Virus

JHM · May 5, 2011

A lady friend of mine has gotten her computer infected with this virus; and it is the most vicious virus that I have thus far encountered.

I started by trying to run F-Secure on her machine, despite being warned about once a minute that her HDDs were failing, Her RAM was being used to capacity, etc. The result was after a while a rapid series of false warning messages showed up on her screen, and the Virus shut the computer down.

I then removed the HDD from her computer, took it home with me, and installed it in the secondary master hotswap tray on my own machine. I ran Malware Bytes Anti-malware, and it found 14 viruses on her machine. I deleted them, and then ran F-Secure, which found 3 more, including one which was buried in a cab file in a Sun Java package. I deleted these, then reran both Malware Bytes, and F-Secure, which declared her machine clean.

I then returned her HDD to her, and reinstalled it for her, and she said it worked well for a day, then she went back to "The Poker Room", (a card playing site), played for a while then went to bed. The next day the Windows Recovery Virus was back.

I again took her HDD home with me, and installed it in my hot swap tray, and ran both Malware Bytes and F-Secure on it. This time Malware Bytes found 4 Viruses, and F-Secure found 2 other ones. I deleted all 6, then went to her house and picked up her computer, so I could reinstall her HDD and then check her F-Secure settings.

Imagine my surprize when I booted her machine, and immediately found that "Windows Recovery" was still there !!

In addition to giving a host of false alerts pertaining to various sytem components, this virus also :

1) Blocks usage of most programs
2) Converts large numbers of both software files, and user files into invisible system files.
3) Has the capacity to reinstall itself after deletion.

Any assistance appreciated.

johnb35 · May 5, 2011

I'm at work right now but will at least give you something to run until I get home in a little over an hour. You may have to boot to safe mode to run this. Also it may help to run the rkill program which the link for it is in the sticky in the security section titled please read before posting.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file here :

http://www.bleepingcomputer.com/download/anti-virus/combofix
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.

In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running

TryingToProve · May 5, 2011

That is exactly what happened to MY computer and John from this helped me and fixed it. I went to the poker site on Facebook. I have not been back since.

JHM · May 5, 2011

Less simple than that. This virus, has wiped all the programs off her start menu, wiped all the shortcut icons off her desktop, and attempts to install Antimalware Bytes have thus far failed, though admittedly they were made without "rkill" or "combofix". Problem is I can't get the internet to come up from her boot drive. I have to install her drive as a secondary on my machine, then download files to it, then try to install them with the drive on her machine. No fun. Worse, I have to go to bed now to get up for work at 6:00 AM tomorrow. Also tried to download all three different version of "rkill" onto my machine unsuccessfully. I get some sort of popup blocker saying for my safety they have blocked, - click on yellow at top for options, do that, and get 3 choices, choose download file, - and get blank page. Bedtime for Bonzo, try again tomorrow.

johnb35 · May 5, 2011

Do you have a usb flash drive handy? You can download combofix from your computer and transfer it to the flash drive. Take the flash drive to the infected comptuer and transfer combofix from the flash drive to the desktop and run it from there. Booting to safe mode on the infected machine should help as well.

JHM · May 5, 2011

K final for the night. While I was typing my last message on my machine AntiMalware Bytes came to life on hers. (Without Combofix). It is now loaded and running, and has detected 4 more viruses so far in addition to one more found by F-Secure, (already deleted that one), and three others I found by searching in the "All Users" "Application Data", and was unable to delete because of "NOT AUTHORIZED", - until I stuck my ERD Commander disk, (a stripped down version of XP that runs from a CD), in the CD drive and used it to delete them. Right now "Windows Recovery" is not running, but I am sure there is still a fair bit of CRAP to be cleaned up, and the issue of how to restore files that have been converted to "Invisible System Files". I MUST Go to Bed, - gonna leave Antimalware Bytes running checking her whole machine, (14 Partitions), overnight.

Edit :

1) No Flash Drive, - don't own one.
2) Overnight Malware Bytes found 28 more viruses. Will post log when I get home from work tonight, (with photo of found viruses window).

TheBishop · May 5, 2011

Windows Recovery

Windows Recovery is a program to force you to buy their fix. If you buy the fix your computer wil be fine as they say.

With these records, why doesn't the law go after the creators of the so called virus.
They have a web site; Windows-Recovery/Secure so you can pay for your protection.

It's like the Mafia selling you protection from the bad guys.

JHM · May 6, 2011

I suppose it is because the police themselves are a bunch of crooks, at least they are here in Ontario. Ever since the Provincial Government gave the municipalities "Fine Revenue", the municipalities have been playing games with the law, designing laws intended to be broken, so they can collect revenue. E.G. Here in Toronto they have the traffic lights synchronized ABOVE the speed limit. What does that accomplish ?
1) Traffic jams, because if you do the speed limit you get every light red.
2) Polution for the same reason
3) Accidents, because in many cases the lights are timed in such a manner that if you were the first vehicle at the previous light, and when it turned green promptly accelerated up to the limit, trying to make the next one green, you will find it turns red right in your face, and you have to brake hard to stop.
4) But since if you "Speed" the right amount, you get every light green, it encourages "Speeding" therefore enabling the "Oink Oink Seig Heil, drivers liscence, ownership, and insurance please" set to fulfil their quotas.

JHM · May 6, 2011

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6509

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

05/05/2011 5:37:11 AM
mbam-log-2011-05-05 (05-37-11).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|O:\|)
Objects scanned: 207628
Time elapsed: 1 hour(s), 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 8
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldMFchcXrFP (Rogue.Agent.SA) -> Value: ldMFchcXrFP -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\user\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\user\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\user\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\systemproc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Here are photos of some of the virus found screens since this problem arose. Note : there have been about 10 or 12 others not included in the photos. Note also : That after finding 28 viruses by running overnight while I was sleeping, Malware Bytes found another one running while I was at work today.

JHM · May 7, 2011

So, since it had found 1 more, I decided to run it yet again to see if it might find others. Well Malware Bytes didn't find any, BUT while it was checking files, F-Secure suddenly came to life, (It examines files in use), and announced it had found another virus.

johnb35 · May 7, 2011

Can you burn files to a cd and then transfer them to the infected computer? If so then download combofix and burn the file to a cd and copy the file to the desktop on in the infected computer, then run it. Do the same thing for hijackthis. If you can't burn files to a cd then put infected drive in your system and place these files on that hard drive, put the drive back in the original system and run them.

What browser is used on the infected computer? Is it Internet Explorer? Most likely the malware has enabled a proxy not allowing internet access. To check this, open internet options in control panel and click on the connections tab, then click on the lan settings button toward the bottom, then make sure that the boxes under proxy servers are unchecked. If they are checked then uncheck them and it should restore the internet.

JHM · May 7, 2011

Thanks John, right now I am running F-Secure on it again to check it one more time. Malware Bytes has already declared it clean. As soon as that is finished, I will do as you suggested. Re brouser I think it is Mozilla Firefox. One problem there has been the destruction of her Start Menu and desktop shortcuts. Yes I can dowload the suggested items and burn them to a CD then take it from there.

JHM · May 7, 2011

Alright, F-Secure declared it clean, and I burned the disk as suggested, then ran Combofix. Combofix immediately found a number of problems, and while it was running, F-Secure came to life announcing it had found one too. Tried unsuccessfully to let Combofix download and install the "Windows Recovery Console", but it said the machine was not connected to the internet. (it is). I let Combofix finish running, then tried internet again, and now I am here on her machine. Will post the Combofix log, and I suppose I should run Combofix again to try and get the "Windows Recovery Console" installed. Comments on that ?

Combofix Log

ComboFix 11-05-06.03 - user 07/05/2011 2:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.2.1033.18.2047.1612 [GMT -4:00]
Running from: d:\utilities\ComboFix\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\WINDOWS
c:\program files\INSTALL.LOG
C:\Thumbs.db
c:\windows\start.exe
c:\windows\system32\Thumbs.db
c:\windows\Web\default.htt
.

.
c:\windows\system32\qmgr.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
.
.
2011-05-05 02:44 . 2011-05-05 02:44 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-05-05 02:43 . 2011-05-05 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 02:43 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 02:43 . 2010-12-20 22:08 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-19 16:36 . 2011-04-19 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2011-04-19 16:11 . 2011-04-19 16:36 -------- d--h--w- c:\documents and settings\user\Application Data\iWin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-01 02:17 . 2007-12-14 07:44 40960 ------w- c:\program files\Uninstall_CDS.exe
.
.
------- Sigcheck -------
.
.
.
[-] 2004-07-09 08:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\SYSTEM32\d3d9.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2002-08-29 06:41 8336384 ----a-w- c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="c:\program files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 32768]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
emesene.lnk - c:\program files\emesene\emesene.exe [2010-7-20 67584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
F-Secure Automatic Update.lnk - c:\program files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-3 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Disabled Startup Items\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2004-11-25 04:27 32768 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 06:41 1511453 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
2005-04-23 05:34 329216 ---ha-w- d:\utilities\Registry First Aid\RFA\rfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 16:00 3072 ----a-w- c:\windows\SYSTEM32\systray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NOMAD Detector"="c:\program files\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
"PowerBar"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Tweak UI"=RUNDLL32.EXE c:\windows\SYSTEM32\TWEAKUI.CPL,TweakMeUp
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
"Creative Launcher"=c:\program files\Creative\SBLive\Launcher\CTLauncher.exe
"rfagent"=d:\utilities\REGISTRY FIRST AID\RFA\rfagent.exe
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Disc Detector"=c:\program files\Creative\ShareDLL\CtNotify.exe
"devldr16.exe"=c:\windows\SYSTEM32\DEVLDR16.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NPROTECT"=d:\utilities\Norton\N Utilities 2000\Norton Utilities\NPROTECT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"ATIPOLL"=ati2evxx.exe
"DkService"=d:\utilities\Disk Keeper\DkService.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\F-Secure\\BackWeb\\7681197\\Program\\F-Secure Automatic Update.exe"= c:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [03/09/2010 10:54 PM 70896]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [03/09/2010 10:54 PM 32807]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\FSfilter.sys [03/09/2010 10:54 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\win2k\fsgk.sys [03/09/2010 10:54 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\FSrec.sys [03/09/2010 10:54 PM 16720]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Win32 Classes
.
.
------- File Associations -------
.
inifile=c:\windows\NOTEPAD.EXE %1
txtfile=c:\windows\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Norton Utilities - d:\utilities\Norton\N Utilities 2000\Norton Utilities\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 03:10
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A???????B???@???@?? C???????@?????????@?B???A???????A?p?????B???@?????P?????@? ???????U\?w??????????@???????????????????B?????|?????????????????????????????B
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(396)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(452)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(3684)
c:\docume~1\user\LOCALS~1\Temp\IadHide5.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FCH32.EXE
c:\program files\F-Secure\Common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\program files\F-Secure\Anti-Virus\fsrw.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\F-Secure\Common\FNRB32.EXE
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\program files\F-Secure\Common\FIH32.EXE
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\System32\devldr32.exe
c:\program files\CREATIVE\SHAREDLL\MEDIADET.EXE
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\progra~1\F-Secure\ANTI-S~1\fsaw.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2011-05-07 03:16:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-07 07:16
.
Pre-Run: 9,903,866,368 bytes free
Post-Run: 10,469,318,144 bytes free
.
- - End Of File - - EB1EFDD1A290DEBC909BAA98FDEE7A70

JHM · May 7, 2011

I copied the two missing files from my computer onto a floppy and put them where they belong in "System32" on hers.

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!

Should I run "Combofix" again to try to get the "Windows Recovery Console" downloaded and installed on hers, now that its internet is working again, before I run "Hijack This" ?

johnb35 · May 7, 2011

Are you running the same version of windows? If yes, then go ahead. I'll go over your log in a bit.

JHM · May 7, 2011

K, I ran "Combofix" again, and this time got the "Windows Recovery Console" downloaded and installed. Also notice her email program is now working again. Here is the latest "Combofix" log. I much appreciate your help John, - THANKS so much!!

ComboFix 11-05-06.05 - user 07/05/2011 11:49:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.2.1033.18.2047.1425 [GMT -4:00]
Running from: d:\utilities\ComboFix\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\user\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\user\Local Settings\temp\IadHide5.dll
.
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
.
.
2011-05-07 14:26 . 2008-04-14 09:42 13824 ----a-w- c:\windows\system32\wscntfy.exe
2011-05-07 14:26 . 2008-04-14 09:42 129024 ----a-w- c:\windows\system32\xmlprov.dll
2011-05-07 07:29 . 2011-05-07 07:29 -------- d-s---w- c:\windows\Cookies
2011-05-05 02:44 . 2011-05-05 02:44 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-05-05 02:43 . 2011-05-05 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 02:43 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 02:43 . 2010-12-20 22:08 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-19 16:36 . 2011-04-19 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2011-04-19 16:11 . 2011-04-19 16:36 -------- d-----w- c:\documents and settings\user\Application Data\iWin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-01 02:17 . 2007-12-14 07:44 40960 ------w- c:\program files\Uninstall_CDS.exe
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\wscntfy.exe
.
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\xmlprov.dll
.
[-] 2004-07-09 08:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\SYSTEM32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2002-08-29 06:41 8336384 ----a-w- c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="c:\program files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 32768]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
emesene.lnk - c:\program files\emesene\emesene.exe [2010-7-20 67584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
F-Secure Automatic Update.lnk - c:\program files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-3 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Disabled Startup Items\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2004-11-25 04:27 32768 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 06:41 1511453 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
2005-04-23 05:34 329216 ----a-w- d:\utilities\Registry First Aid\RFA\rfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 16:00 3072 ----a-w- c:\windows\SYSTEM32\systray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NOMAD Detector"="c:\program files\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
"PowerBar"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Tweak UI"=RUNDLL32.EXE c:\windows\SYSTEM32\TWEAKUI.CPL,TweakMeUp
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
"Creative Launcher"=c:\program files\Creative\SBLive\Launcher\CTLauncher.exe
"rfagent"=d:\utilities\REGISTRY FIRST AID\RFA\rfagent.exe
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Disc Detector"=c:\program files\Creative\ShareDLL\CtNotify.exe
"devldr16.exe"=c:\windows\SYSTEM32\DEVLDR16.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NPROTECT"=d:\utilities\Norton\N Utilities 2000\Norton Utilities\NPROTECT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"ATIPOLL"=ati2evxx.exe
"DkService"=d:\utilities\Disk Keeper\DkService.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\F-Secure\\BackWeb\\7681197\\Program\\F-Secure Automatic Update.exe"= c:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [03/09/2010 10:54 PM 70896]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [03/09/2010 10:54 PM 32807]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\FSfilter.sys [03/09/2010 10:54 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\win2k\fsgk.sys [03/09/2010 10:54 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\FSrec.sys [03/09/2010 10:54 PM 16720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41 67584 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Win32 Classes
.
.
------- File Associations -------
.
inifile=c:\windows\NOTEPAD.EXE %1
txtfile=c:\windows\NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 11:55
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A???????B???@???@?? C???????@?????????@?B???A???????A?p?????B???@?????P?????@? ???????U\?w??????????@???????????????????B?????|?????????????????????????????B
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(396)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(452)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(3324)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FCH32.EXE
c:\program files\F-Secure\Common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\program files\F-Secure\Anti-Virus\fsrw.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\F-Secure\Common\FNRB32.EXE
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\F-Secure\Common\FIH32.EXE
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\windows\System32\devldr32.exe
c:\program files\CREATIVE\SHAREDLL\MEDIADET.EXE
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\progra~1\F-Secure\ANTI-S~1\fsaw.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2011-05-07 11:59:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-07 15:59
ComboFix2.txt 2011-05-07 07:16
.
Pre-Run: 10,447,737,344 bytes free
Post-Run: 10,443,884,544 bytes free
.
winxpsp1_en_pro_bf.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - B61D87823CBBA23CA6E9D86E60A4FF9C

johnb35 · May 7, 2011

Ok, looks much better. Post a fresh hijackthis log and I'll look at it when I get home tonight as I have to leave for work shortly.

JHM · May 7, 2011

Here is the Hijack This Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:43:25 PM, on 07/05/2011
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\emesene\emesene.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
D:\Utilities\HiJack This\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: emesene.lnk = C:\Program Files\emesene\emesene.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} (TrivialPursuit Control) - http://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\System32\LMabcoms.exe

--
End of file - 6573 bytes

JHM · May 7, 2011

Note : Although the machine is much better now, and the files that were converted to "Invisible System Files" are all back to normal now, I still cannot delete unwanted shortcuts, or move shortcuts to a different location without them going bad; and nor can I make shortcuts in the manner I usually use.

johnb35 · May 8, 2011

What happens when you try to delete shortcuts? What messages do you get?

Windows Recovery Virus

banned

Administrator

New Member

banned

Administrator

banned

New Member

banned

banned

banned

Administrator

banned

banned

banned

Administrator

banned

Administrator

banned

banned

Administrator