Fake AV infection - files hidden?

[gregrocker]

I'm trying to help a friend who's locked out of WIn7 Pro due to fake AV. All files are missing but I'm assuming they're hidden since I can transfer them in TeamViewer File Transfer.

I can also open Task Manager to run explorer.exe to get to Program Files to run their .exe and am running Malwarebytes now with 21 infections already found and cleaned up.

I was out of the room when Malwarebytes results came so he cleaned up the 21 infections without noting which Fake AV scan was detected. We regained no functionality after scan, so I'm running Full Scan again. Should I also run a root kit scan now?

It's strange that Program Files are there but everything in Users is missing. I'm assuming it's hidden since I can transfer needed files out using Team Viewer, so is there a way to restore them with additional Cleanup?

I'm just about to run SFC.

 

[EzioAuditore]

All files are missing but I'm assuming they're hidden since I can transfer them in TeamViewer File Transfer.

Well, in that case, have you tried booting off your friend's pc with a live cd and recover those from there?

so I'm running Full Scan again. Should I also run a root kit scan now?

i'd wait for the scan to finish. It wouldn't hurt to do a rootkit scan though caution should be exercised as these may produce false positives.

 

[gregrocker]

I'm across the country and he's at work so cannot boot disk to copy out files. I copied his most urgent files out using TeamViewer File Transfer Wizard which does show them even though Explorer shows entire User folder empty.

Nothing found yet in full Malwarebytes scan. Also running SFC. Anything that can be done to unhide his files?

 

[Zepher]

Have him run Combofix.
ComboFix Download

he is probably going to have to go to the tools>folder options>view> and enable "show hidden files and folders" and manually make them not hidden anymore.

 

[EzioAuditore]

Well, ComboFix is a very advanced tool and must be run under the supervison of a security specialist. (No offence Zepher)

@Greg- if you do decide to have it run, have him follow the steps here- (Canned Speech) Combofix XP

 

[gregrocker]

he is probably going to have to go to the tools>folder options>view> and enable "show hidden files and folders" and manually make them not hidden anymore.

This is how the fake AV virus hides the entire User folder?

I'm planning to finish the Malwarebytes Full Scan (clean so far after 1 hour), then SFC, then ComboFix.

Any other suggestions?

Thanks!

 

[Jacee]

Greg, try unhide
Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe) (by Grinler)
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."

 

[gregrocker]

Thanks Jacee. I guess this answers your question in the other thread of how he is getting infected. I opened TeamViewer to see the fake AV scanner I have warned him about repeatedly.

Lost TeamViewer now so need to wait til he gets home from work to continue.

Plan:
Malwarebytes Full Scan (in progress)
SFC /scannow (also in progress)
Combo Fix
Unhide
?

 

[Jacee]

RKill (just incase) before Combofix ... If there's any way to capture the CF log, I would like to see it, please.
Also, rename Combofix.exe to sVchost.exe during the download.

(RKill kills the rogue/fake processes from running, so that you can download necessary tools for removal.
The tool should run on all 32bit versions of current Windows (XP, Vista, Windows VirusTotal shows that only a few AVs flag it as anything)

Download and Run RKill
Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• If nothing happens or if the tool does not run, please let me know in your next reply

 

[gregrocker]

ComboFix log

After running ComboFix all files appear restored.

All of the Programs appear to be working but shortcuts in All Programs list are empty. Partially solved here: Start Menu All Programs in Windows 7 - Restore Default Shortcuts - Windows 7 Forums

Security Center, Windows Update and MSE Services all started up after restart.

Many files were missing from external which was unplugged prior to fixes running. Tried Zepher's idea to Unhide in Control Panel and they show up. Ran UnHide which restored all files and would have restored my missing All Programs shortcuts had Recycle Bin not been emptied.:huh:

Seems back to normal with good performance but only time will tell.

ComboFix 12-03-28.02 - MDuquette 03/28/2012  17:45:25.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.1223 [GMT -4:00]
Running from: c:\users\MDuquette\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~7GNFxghQfiOBui
c:\programdata\~7GNFxghQfiOBuir
c:\programdata\7GNFxghQfiOBui
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\chrome.manifest
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\chrome\content\overlay.xul
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\install.rdf
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-28 to 2012-03-28  )))))))))))))))))))))))))))))))
.
.
2012-03-24 11:42 . 2012-03-14 02:15    6582328    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26181C00-0057-4728-BDBB-39FAD9CA378D}\mpengine.dll
2012-03-18 14:37 . 2012-03-18 14:37    --------    d--h--w-    c:\programdata\F4D55EDB006B2A9A03994D22B4EB238B
2012-03-17 03:35 . 2012-03-17 03:35    --------    d-----w-    c:\program files\Common Files\Java
2012-03-17 03:34 . 2012-03-17 03:33    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2012-03-15 10:31 . 2012-02-03 03:54    2343424    ----a-w-    c:\windows\system32\win32k.sys
2012-03-15 10:31 . 2012-02-10 05:38    1077248    ----a-w-    c:\windows\system32\DWrite.dll
2012-03-15 10:31 . 2012-01-25 05:27    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2012-03-15 10:31 . 2012-01-25 05:32    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2012-03-15 10:31 . 2012-01-25 05:32    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2012-03-15 10:31 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2012-03-15 10:31 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2012-03-15 10:31 . 2012-02-17 04:14    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2012-03-08 23:10 . 2012-03-08 23:10    --------    d-----w-    c:\program files\iPod
2012-03-08 23:10 . 2012-03-08 23:11    --------    d-----w-    c:\program files\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-17 02:40 . 2011-05-14 03:56    414368    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-10 11:30 . 2012-02-10 11:31    713784    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9188A78F-B458-49D5-B281-07487EF176EC}\gapaengine.dll
2012-02-08 06:03 . 2012-01-06 17:44    6552120    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2010-04-16 21:10    237072    ------w-    c:\windows\system32\MpSigStub.exe
2012-01-11 11:17 . 2012-01-11 11:16    727647    ----a-w-    c:\windows\Windstar Demo Uninstaller.exe
2012-01-06 03:39 . 2012-02-10 11:31    703824    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-01-02 07:48 . 2012-01-02 07:48    74752    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2012-01-02 07:47 . 2012-01-02 07:47    161792    ----a-w-    c:\windows\system32\msls31.dll
2012-01-02 07:47 . 2012-01-02 07:47    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2012-01-02 07:47 . 2012-01-02 07:47    76800    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2012-01-02 07:47 . 2012-01-02 07:47    86528    ----a-w-    c:\windows\system32\iesysprep.dll
2012-01-02 07:47 . 2012-01-02 07:47    63488    ----a-w-    c:\windows\system32\tdc.ocx
2012-01-02 07:47 . 2012-01-02 07:47    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2012-01-02 07:47 . 2012-01-02 07:47    367104    ----a-w-    c:\windows\system32\html.iec
2012-01-02 07:47 . 2012-01-02 07:47    74752    ----a-w-    c:\windows\system32\iesetup.dll
2012-01-02 07:47 . 2012-01-02 07:47    420864    ----a-w-    c:\windows\system32\vbscript.dll
2012-01-02 07:47 . 2012-01-02 07:47    23552    ----a-w-    c:\windows\system32\licmgr10.dll
2012-01-02 07:47 . 2012-01-02 07:47    152064    ----a-w-    c:\windows\system32\wextract.exe
2012-01-02 07:47 . 2012-01-02 07:47    150528    ----a-w-    c:\windows\system32\iexpress.exe
2012-01-02 07:47 . 2012-01-02 07:47    35840    ----a-w-    c:\windows\system32\imgutil.dll
2012-01-02 07:47 . 2012-01-02 07:47    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2012-01-02 07:47 . 2012-01-02 07:47    11776    ----a-w-    c:\windows\system32\mshta.exe
2012-01-02 07:47 . 2012-01-02 07:47    101888    ----a-w-    c:\windows\system32\admparse.dll
2012-02-17 17:58 . 2011-10-18 22:35    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Meebo Notifier"="c:\users\MDuquette\AppData\Local\Meebo\Meebo Notifier\MeeboNotifier.exe" [2010-07-15 818888]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"AOL Fast Start"="c:\program files\AOL Desktop 9.6a\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk]
backup=c:\windows\pss\Intuit Data Protect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
backup=c:\windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08    935288    ----a-r-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08    35696    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2009-10-28 14:38    50536    ----a-w-    c:\program files\AOL 9.5\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-11-02 12:51    59240    ----a-w-    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54    91520    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-03-21 16:33    1548288    ----a-w-    c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25    1589208    ---ha-w-    c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Software]
2009-04-24 06:57    1025320    ----a-w-    c:\program files\Common Files\SupportSoft\bin\bcont.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27    41800    ----a-w-    c:\program files\Common Files\aol\1271452016\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30    173592    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30    141848    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2011-10-10 01:39    1874264    ----a-w-    c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-07 00:05    421736    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30    150552    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 21:29    1174016    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-09-13 19:44    405504    ----a-w-    c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02    254696    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-01-18 11:46    296056    ----a-w-    c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 136176]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-02 1343400]
R4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-02-15 229376]
R4 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-08-30 1255936]
R4 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 11:44]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 11:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://68.153.220.28:8080/activex/AMC.cab
FF - ProfilePath - c:\users\MDuquette\AppData\Roaming\Mozilla\Firefox\Profiles\sqg9g1mm.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Gwofuzozawufi - c:\users\MDuquette\AppData\Local\axidiruvupoqoxe.dll
MSConfigStartUp-Vsofezi - c:\users\MDuquette\AppData\Local\wisdsk.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-28  17:58:20
ComboFix-quarantined-files.txt  2012-03-28 21:58
.
Pre-Run: 9,785,036,800 bytes free
Post-Run: 10,061,418,496 bytes free
.
- - End Of File - - 599A00B8C4870EE77F23957CB2F4750E

We are considering replacing MSE with Webroot Secure Anywhere AV. Opinions?

Thank you, Security experts!

 

[Jacee]

Greg, remove the 'dirty' DNS cache, and restore MS's Hosts File:

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

After doing all of the above, scan the machine with ESET OnlineScan:

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

We'll follow up from here

 

[gregrocker]

TeamViewer won't reconnect after disconnecting during Old Timer cleaning. Will have to wait to finish the steps. I did notice I cannot access Device Manager by rightclicking Computer any longer. I get a lost path when I click Manage. I had to use Control Panel.

This reminds me why I always end up reinstalling after one of these. When I get back there next week I'll probably reapply an image from February. At least he's able to use it no problem now.

 

[Jacee]

I think the better idea of cleaning and re-installing will be for the best. Some System Check <-- fake Av will be bundled with the latest TDL rootkit.

 

[gregrocker]

Everything completed without problems and performance is good.

The only remainder experienced so far is that it's lost its path from rightclick>Computer to Management console. I wonder if that would have been one of the links restored by the brilliant Unhide program had CCleaner not deleted Temp files before it was run? It prompted that without the Temp files it could not restore other links in All Programs folder.

May I ask what all flush.bat flushed?

Thanks, Jacee. Would rep you again if it would let me.

 

[Jacee]

The 'flush.bat' flushed the bad DNS cache, restored MS's Hosts file, reset the winsock (in case a bad program/file hijacked it), and renewed the computers IP address.

A request flows in the following order:
Web browser or other application
|
winsock.dll
|
TCP/IP layers
|
Modem or network card
|
The Internet and destination

This might also interest you DNS (Domain Name System)

 

[Corrine]

I wonder if that would have been one of the links restored by the brilliant Unhide program had CCleaner not deleted Temp files before it was run? It prompted that without the Temp files it could not restore other links in All Programs folder.

FYI: With rogues that make it appear that files/programs are missing, do not run a temp file cleaner. The rogues generally "hide" the files in the %Temp%\Smtmp folder.

Grinler also created some scripts to restore the default Start Menu for specific versions of Windows that he has access to. See the 11/14/2011 update at Unhide.exe - A introduction as to what this program does

 

[gregrocker]

Hi, Corrine. I had run CCleaner earlier after infection so Unhide couldn't restore the Start Menu items.

This was a learning experience.

 

[Corrine]

Hi, Greg. I understand that. The purpose of my comment was twofold. First to advise others who may read this topic not to run a temp file cleaner and, second, to direct your attention to are Grinler's scripts to restore the Start Menu items. They are in the same discussion topic as the information on Unhide.exe. Just scroll down the page to the section marked Update 11/14/2011.

 

[gregrocker]

Thanks, Corrine.

Unhide is a lifesaver. The guy's external had almost 1tb files which were hidden and it unhid them as well as all of his data flawlessly.

Zepher's advice to unhide them in Control Panel>Folder options worked initially but I needed a permanent solution so I could rehide legitimately Hidden Files.

 

[Corrine]

It is even more of a lifesaver now! Grinler posted this update to the Unhide.exe topic today:

Update: 04/03/2012

Unhide was updated to include certain Start Menu options that were being hidden on the start menu. Unhide will now restore those settings back to Windows defaults and then restart Explorer.exe so that the changes go into effect.

These start menu items that are now made visible include:

• Documents
• Pictures
• User Profile
• Music
• Games
• Control Panel
• Videos
• Default Programs