Missing files

[ken545]

Hi,

Run aswMBR again just to scan and post a new log please

[runnerred94]

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 13:03:42
-----------------------------
13:03:42.709 OS Version: Windows x64 6.1.7601 Service Pack 1
13:03:42.709 Number of processors: 1 586 0x170A
13:03:42.709 ComputerName: MELISSA-PC UserName: melissa
13:03:43.723 Initialize success
13:04:59.021 AVAST engine defs: 12021500
13:05:00.503 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:05:00.503 Disk 0 Vendor: TOSHIBA_MK2556GSY LH003C Size: 238475MB BusType: 11
13:05:00.518 Disk 0 MBR read successfully
13:05:00.518 Disk 0 MBR scan
13:05:00.534 Disk 0 unknown MBR code
13:05:00.534 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
13:05:00.550 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 225481 MB offset 409600
13:05:00.581 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12793 MB offset 462194688
13:05:00.581 Service scanning
13:05:01.829 Modules scanning
13:05:01.829 Disk 0 trace - called modules:
13:05:01.860 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
13:05:01.860 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002718600]
13:05:01.938 3 CLASSPNP.SYS[fffff880010b143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800226d060]
13:05:03.638 AVAST engine scan C:\Windows
13:05:05.042 AVAST engine scan C:\Windows\system32
13:29:22.462 AVAST engine scan C:\Windows\system32\drivers
13:29:40.230 AVAST engine scan C:\Users\melissa
13:32:29.288 AVAST engine scan C:\ProgramData
13:34:37.865 Scan finished successfully
14:25:42.352 Disk 0 MBR has been saved successfully to "C:\Users\melissa\Desktop\MBR.dat"
14:25:42.383 The log file has been saved successfully to "C:\Users\melissa\Desktop\aswMBR.txt"
14:25:56.951 Disk 0 MBR has been saved successfully to "C:\Users\melissa\Desktop\MBR.dat"
14:25:56.951 The log file has been saved successfully to "C:\Users\melissa\Desktop\aswMBR.txt"

[ken545]

Hi,

Outside of losing all your pictures , how are things running in General ? When where done I can link you to a windows forum that maybe able to help you get some of your files back

[runnerred94]

Every thing looks great. I tried show hidden files again after the last scan and they are all there except the ones labeled java files. I greatly appreciate all the time you have taken helping some one you do not know. I would love to learn how to help people like this one day.

[ken545]

FYI

C:\Windows\svchost.exe This file is legit if it was in the system32 folder but where it is in the windows folder its a virus.

You where infected with a TDL4 which is a variant of the TDSS Rootkit, not nice.

I would at this point advise you to change all your passwords for sites that you frequent, especially sites that you may shop at or do any online banking.

Post back in a few days and let me know how its going

Another FYI
http://forums.whatthetech.com/index.php?showtopic=80368

[runnerred94]

Already changed them when I saw she had a problem. So am I clean then sir?

[ken545]

You look ok so far, but lets check for leftovers

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

[runnerred94]

C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.X trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.ID trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AC trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\14.02.2012_20.45.38\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.Z trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\Users\melissa\AppData\Local\Temp\ICReinstall\cnet_PandoraRecovery2_1_1Setup_exe.exe a variant of Win32/InstallCore.D application

[ken545]

All those files are in Quarantine from the programs we have run and are harmless where there at.

Open up Spybot and go to the recovery folder and delete it all

Any other problems ?

[runnerred94]

No other problems.