Another Windows XP Recovery attack

M

msff4u

New member
I to have encountered the dreaded “Windows XP Recovery” virus.
I worked most all of yesterday, till 4am this morning trying to recover from this.
During my futile effort, I have ran the following programs;
1. Roguefix
2. Avira AntiVir
3. Malwarebytes Anti-Malware
4. Super AntiSpyware
5. Spybot
I have been able to regain my desktop (I think) back, however, when trying to access programs from the start menu, most say “empty”
Not really sure I have completely eliminated this virus.

Additonal problems found include;
-Internet Explorer will flash once then not open, if I start it “without add-ons” it will come up and display “Internet Explorer is currently running without add-ons”.
There is a bar at the top of the screen showing the “click here to manage add-ons”
If I click on the “home page” button, IE will bring up my homepage (google).
If I “x” the above bar, once I go to another page, the bar will show up again.

Additional steps taken include running “unhide” – was able to see some of my files.
Reran again, little to no improvement.
Did receive an “PEV” is not recognized as an internal or external command, operable program or batch file.
Then received the “Finished” box and selected OK

During the troubleshooting of this, I noticed that you requested that a copy of the DDS log file be included, see below.

I have also ran ERUNT, as state in before you post area.

I have also included in log file from Spybot, see below. Note, this is the 2nd run of Spybot.
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Frank at 12:55:06 on 2011-05-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2153 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\drivers\audio\r211990\stacsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\WINDOWS\system32\dleacoms.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Dell V310-V510 Series\dleamon.exe
C:\Program Files\Dell V310-V510 Series\ezprint.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Frank\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [tSfkTNduxrPpGPr.exe] c:\docume~1\frank\locals~1\temp\tSfkTNduxrPpGPr.exe
uRun: [UtYUtxpPbB] c:\documents and settings\all users\application data\UtYUtxpPbB.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [HPWQTOOLBOX] c:\program files\hewlett-packard\hp deskjet 9800 series\toolbox\HPWQTBX.exe "-i"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [dleamon.exe] "c:\program files\dell v310-v510 series\dleamon.exe"
mRun: [EzPrint] "c:\program files\dell v310-v510 series\ezprint.exe"
mRun: [Dell V310-V510 Series Fax Server] "c:\program files\dell v310-v510 series\fm3032.exe" /s
mRun: [MyGarminAgent] c:\program files\garmin\mygarminagent\MyGarminAgent.exe
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.15/uploader2.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
scrfile="%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 12:56:37.48 ===============


Spybot Report Below;

--- Report generated: 2011-05-30 11:48 ---

Yontoo.Pagerage: [SBI $73A90B7D] Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

Yontoo.Pagerage: [SBI $2DBD7A06] Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\YontooIEClient.DLL

Yontoo.Pagerage: [SBI $0C44E8A1] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Yontoo.Pagerage: [SBI $B8CFDDD6] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Yontoo.Pagerage: [SBI $F3C9A203] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

Yontoo.Pagerage: [SBI $93314514] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}

Yontoo.Pagerage: [SBI $9297A7A9] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api

Yontoo.Pagerage: [SBI $9297A7A9] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1

Yontoo.Pagerage: [SBI $9297A7A9] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Yontoo.Pagerage: [SBI $EFBC03B1] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers

Yontoo.Pagerage: [SBI $EFBC03B1] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1

Yontoo.Pagerage: [SBI $EFBC03B1] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Yontoo.Pagerage: [SBI $EFBC03B1] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Yontoo.Pagerage: [SBI $BAC2B4A8] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

Yontoo.Pagerage: [SBI $71FBD431] Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Yontoo.Pagerage: [SBI $EE582247] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{3E454121-D681-4BBE-AC01-9D4DC40D2A04}

Yontoo.Pagerage: [SBI $F5FA984A] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{4E4AE263-5CE6-4307-84B6-B9BFF5729A44}

Yontoo.Pagerage: [SBI $A00897AC] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}

Yontoo.Pagerage: [SBI $03B3DE2C] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}

Yontoo.Pagerage: [SBI $AF934D1A] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}

Yontoo.Pagerage: [SBI $38897F2F] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Yontoo.Pagerage: [SBI $445502D3] Program directory (Directory, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\

Yontoo.Pagerage: [SBI $D204305F] Library (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $9FBE075A] Library (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $4F1A22FC] Data (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $B7965EF0] Executable (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $69165085] Picture (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Fraud.HDDDefragmenter: [SBI $CFE71EA7] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2492541491-1451489431-2766994577-1005\Software\12B79064-EB17-4f82-9DFE-B975BD26D1DC

Fraud.WindowsRecovery: [SBI $9C8FE954] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2492541491-1451489431-2766994577-1005\Software\75fa38b7-8b94-4995-ad32-52e938867954

Fraud.WindowsRecovery: [SBI $597FC39E] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2492541491-1451489431-2766994577-1005\Software\BD

MyFreezeToolbar: [SBI $D951AE6E] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

MyFreezeToolbar: [SBI $B2610ABA] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

Search-Explorer: Interface (IPugiObj) (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-05-30 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-05-24 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-10 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-05-24 Includes\TrojansC-04.sbi (*)
2011-05-25 Includes\TrojansC-05.sbi (*)
2011-05-24 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Forgot on original post to attach the attach.zip file.
Sorry.....it's been a long day :sick:
 
Last edited by a moderator:
First read this guide about combofix, on another computer if you have to:
Guide to using Combofix We will use it later.

Next: Download rkill.com to the compromised machine
double click it and let it run, It only terminates certain processes it dosnt remove them so dont reboot yet.

"Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step."


Download combofix to your desktop and run it. Post the log in your reply. If it gives you problems you can try running it in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode, log into your usual account. Once at the safe mode desktop run combofix. post the log.

See how that goes. Let me know what you were able to do or not do. I wont be back on line for 18 or so hours. Good luck.
 
Shelf Life,
First thanks for helping me out with this. Sure will be glad to get this fix and get back on line.
First off, downloaded and ran RKill with no ill effects.
Next, downloaded and tried to run Combofix.
Initially tried to run this from normal log in on desktop. The program started but it hung.
I then tried to perform a normal reboot, however, it would not reboot. I then performed a "hard" boot. The computer came back up, I went into Safe Mode.
I then tried to run ComboFix again, this time I got a blue screen.
Again, I had to perform a "hard" boot. When the computer came back up, I went into "Safe" mode again.
This time I was able to get ComboFix to run to completion. The only problem that was incountered this time was that I could not access the internet, thus, ComboFix was not able to download the "Recovery Console".
I did not have any additional problems after completion.
I have attached the ComboFix.txt file as directed.
Again, thanks for all your help and time with my problem.
 
hi

ok good. Check malwarebytes for updates and do a scan with it. We will also get another download to use:

Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."


If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

A report can also be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report
 
Thanks for the reply, just got home and have to be back in @530 am. Will run these programs when I get home tomorrow.
 
Well, here we go,
First off, I can not access my wireless network, each time I try, the connection manager shows "firewalled". I have even turned windows firewall off, still no luck. Guess, I still have a problem.
I did run Malwarebyte, I was not able to update the database. Even though it was 10 days old, it did find 3 virus.
I have attached the log file.
I then rebooted and ran TDSSKiller, it found another virus. Selected continue and then rebooted.
The log file from that is also attached. Sorry, but had to zip it to get it to upload. It was 56k and could only upload a 48k file.
Just a couple of OBTW's, I still think that something is lurking around. When I select any program from the start menu, it still show's "empty".
My desktop looks normal, but it does not seem quite right.
Anyways, we are making progress, so I really do appreicate all of your help.
Look forward to seeing what needs to be done next.
Thanks.....
 
ok thanks for the info. TDSSkiller removed a rootkit.
If you right click on Start, chose Explore, click on Windows folder than the System32 folder. Then find cmd.exe in the files listed to the right- and double click it.
In the shell window that opens at the cursor type in:

ipconfig /all > C:\results.txt

You will find the results.txt log in your rootdrive C:
Please post the log.

If you have a router and a modem you can try this: turning the modem off, also the router, wait 30 seconds or so then turn the modem back on, then the router. While they power back up restart your computer.

connection manager shows "firewalled"
Click to expand...
Is Windows managing the wireless connection or do you have a third party software installed, if its third party you would see a icon by the clock you could click on to get info and details.

The start menu is most likely a leftover from the scareware.
Which we will try to fix.
 
Here is the IPConfig log.
I still can not connect wirelessly, I can connect if I plug into the modem.
Not sure if that helps or not.
Again, thanks for all your help
 
Here is the IPConfig log.
I still can not connect wirelessly, I can connect if I plug into the modem.
Not sure if that helps or not.
I am using the Intel PROSET/Wireless connection manager. I can not see it in the program listing.
Again, thanks for all your help
 
Are you able to see the items from the start panel? If so start>control panel>network connections. Double click the network connection icon and on the wireless icon, right click on it and make sure its "enabled" and not disabled.
 
Was able to get my connection working last night after I posted.
I wanted to see if I could get on the net at all, so I plugged into the modem and was able to make a "hardwire" connection.
Once I knew I could connect, I then went to control panel->add/remove programs->[selected] Intel Proset->then selected repair.
I was then able to make a wireless connection. I then rebooted to see if there would be any change, there was not. Seems to have fixed that problem.:bigthumb:
Still have the issue of nothing showing up on the start menu once you hover on a program, i.e. [All Programs]->[Windows Live]->[empty] :confused:
Thanks for all of your help with this.....you are my HERO.....:crowned:
 
NO. Still showing EMPTY whenever I select something.
The only things that are showing are the items that I have just recently done. Such as Malwarebytes. Items such as Microsoft still show empty when I hover over them.:sick:
 
Do you have two AV installed, Mcafee and Avast? Only need one AV per machine. Two is not better in this case. If so you should remove one via the add/remove programs panel.
so the only things that show in the start panel are ones you recently used?
It looks like the attached screenshot?
 
You are correct, my start panel looks like what you sent.
I have removed the Avast, do I need to turn the auto scan features of Malware & Spybot off?
I have also included screen shot (screen shot.zip) of my start menu and also of the add/remove screen. Though that might help.
Again, thanks for all the help........
 
You must log in or register to reply here.
Back
Top