WiredWX Hobby Weather ToolsLog in

 


Windows Recovery Virus!!! Help needed to remove

3 posters

descriptionWindows Recovery Virus!!! Help needed to remove EmptyWindows Recovery Virus!!! Help needed to remove

more_horiz
I was just on internet and this thing comes up and started scanning my computer. And then I notice all my desktop icons are gone and that all files are gone. Help!!! what to do now?? How can i get it back to how it was?

OTL logfile created on: 5/22/2011 11:45:07 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 224.74 Gb Total Space | 170.66 Gb Free Space | 75.93% Space Free | Partition Type: NTFS

Computer Name: JAMES-PC | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 11:44:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
PRC - [2011/05/07 01:27:39 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 08:16:54 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe


========== Modules (SafeList) ==========

MOD - [2011/05/22 11:44:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/17 16:50:01 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/21 15:16:50 | 004,093,392 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/07/31 02:37:42 | 001,343,400 | ---- | M] () [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/11/21 01:12:44 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 06:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/08/16 10:26:29 | 006,637,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwLv32.sys -- (NETwLv32) Intel(R)
DRV - [2010/05/31 14:58:33 | 006,638,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 18:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2007/08/03 05:36:10 | 000,009,344 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 7A 2E 15 46 30 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z007&form=ZGAADF&q="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/07 01:27:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 01:27:42 | 000,000,000 | ---D | M]

[2010/07/30 20:08:55 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2011/05/07 01:27:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\extensions
[2011/04/03 15:24:31 | 000,001,919 | -H-- | M] () -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\searchplugins\bing-zugo.xml
[2011/04/18 16:18:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/30 23:41:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/07 01:27:39 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/07/30 23:41:06 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/07 01:27:41 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKCU..\Run: [kJoCBjsHlcALP] C:\ProgramData\kJoCBjsHlcALP.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: pps.tv ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: ppstream.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: webscache.com ([]http in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/22 11:09:25 | 000,000,000 | -H-D | C] -- C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
[2011/05/22 11:09:01 | 000,338,432 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\24502008.exe
[2011/05/22 11:03:51 | 000,411,136 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\kJoCBjsHlcALP.exe
[2011/05/16 16:09:02 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/10 20:15:21 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/05/10 20:15:21 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\poqexec.exe
[2011/05/10 20:15:20 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/05/01 18:29:00 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Blizzard Entertainment
[2011/04/29 23:23:10 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\ElevatedDiagnostics
[2011/04/26 19:02:40 | 000,000,000 | -H-D | C] -- C:\Program Files\World of Warcraft
[2011/04/26 19:02:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011/04/19 00:25:04 | 001,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\ProgramData\DynuEncrypt.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/22 11:27:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/22 11:27:07 | 2408,390,656 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/22 11:09:27 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:25 | 000,000,635 | -H-- | M] () -- C:\Users\James\Desktop\Windows 7 Recovery.lnk
[2011/05/22 11:09:03 | 000,000,344 | -H-- | M] () -- C:\ProgramData\24502008
[2011/05/22 11:09:01 | 000,338,432 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\24502008.exe
[2011/05/22 11:06:06 | 000,116,224 | ---- | M] () -- C:\Windows\System32\drivers\3622D08.sys
[2011/05/22 11:05:54 | 000,116,224 | ---- | M] () -- C:\Windows\System32\drivers\211FF05.sys
[2011/05/22 11:03:51 | 000,411,136 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\kJoCBjsHlcALP.exe
[2011/05/16 16:09:02 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/16 07:10:57 | 000,022,864 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/16 07:10:56 | 000,022,864 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/07 01:27:49 | 000,002,002 | -H-- | M] () -- C:\Users\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/26 23:22:53 | 000,632,946 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/26 23:22:53 | 000,110,548 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/22 11:09:27 | 000,000,144 | -H-- | C] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | -H-- | C] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:25 | 000,000,635 | -H-- | C] () -- C:\Users\James\Desktop\Windows 7 Recovery.lnk
[2011/05/22 11:09:03 | 000,000,344 | -H-- | C] () -- C:\ProgramData\24502008
[2011/05/22 11:06:06 | 000,116,224 | ---- | C] () -- C:\Windows\System32\drivers\3622D08.sys
[2011/05/22 11:05:54 | 000,116,224 | ---- | C] () -- C:\Windows\System32\drivers\211FF05.sys
[2011/04/18 16:09:34 | 000,000,375 | -H-- | C] () -- C:\Program Files\U_LUNIA_setup.exe.bfi
[2011/02/22 23:34:11 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/02/22 23:33:01 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/02/18 22:17:24 | 000,018,760 | ---- | C] () -- C:\Windows\System32\QQVistaHelper.dll
[2011/02/14 17:05:55 | 001,481,728 | ---- | C] () -- C:\Windows\System32\LegitCheckControl.dll
[2011/02/14 17:05:51 | 000,414,208 | ---- | C] () -- C:\Windows\System32\WgaTray.exe
[2011/02/14 17:05:51 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll
[2010/11/21 01:21:47 | 000,055,149 | ---- | C] () -- C:\Windows\War3Unin.dat
[2010/11/15 00:22:19 | 000,000,268 | -H-- | C] () -- C:\Program Files\data3.cab.bfi
[2010/11/15 00:22:15 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.inx.bfi
[2010/11/15 00:22:12 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.ini.bfi
[2010/11/15 00:22:09 | 000,000,187 | -H-- | C] () -- C:\Program Files\layout.bin.bfi
[2010/11/15 00:22:05 | 000,000,188 | -H-- | C] () -- C:\Program Files\ISSetup.dll.bfi
[2010/11/15 00:22:01 | 000,000,186 | -H-- | C] () -- C:\Program Files\data1.hdr.bfi
[2010/11/15 00:21:56 | 000,000,186 | -H-- | C] () -- C:\Program Files\data1.cab.bfi
[2010/11/15 00:21:52 | 000,000,187 | -H-- | C] () -- C:\Program Files\_Setup.dll.bfi
[2010/11/14 19:53:22 | 000,000,279 | -H-- | C] () -- C:\Program Files\data2.cab.bfi
[2010/11/14 19:53:08 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.exe.bfi
[2010/10/24 23:02:34 | 000,000,093 | -H-- | C] () -- C:\Users\James\AppData\Local\fusioncache.dat
[2010/09/01 14:43:09 | 000,886,272 | -H-- | C] () -- C:\Users\James\AppData\Roaming\System.Data.SQLite.DLL
[2010/09/01 14:43:06 | 000,141,207 | -H-- | C] () -- C:\Users\James\AppData\Roaming\3ulxy7893UL.exe
[2009/09/23 19:16:08 | 002,050,952 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,266,808 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,632,946 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,110,548 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/08 21:03:02 | 000,058,880 | ---- | C] () -- C:\Windows\System32\bdmpegv.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Files - Unicode (All) ==========
[2011/02/18 23:28:09 | 000,000,000 | -H-D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
[2011/02/18 23:28:09 | 000,000,000 | -H-D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
(C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:2B11E0DF

< End of report >

Last edited by zhengs on 22nd May 2011, 11:30 pm; edited 2 times in total

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Hi,

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
I already used it, but it was a full scan.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6641

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

5/22/2011 1:56:57 PM
mbam-log-2011-05-22 (13-56-57).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 224282
Time elapsed: 39 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kJoCBjsHlcALP (Trojan.FakeMS.Gen) -> Value: kJoCBjsHlcALP -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\kjocbjshlcalp.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\drivers\211FF05.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\System32\drivers\3622D08.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\System32\spool\prtprocs\w32x86\4452CF6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\spool\prtprocs\w32x86\445FEF4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\0.33437767520489514.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\tmp2B80.tmp (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\tmp419F.tmp (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\Local\Temp\tmpFEC6.tmp (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\LocalLow\Sun\Java\deployment\cache\6.0\30\50704d9e-1d75b647 (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\Users\James\AppData\LocalLow\Sun\Java\deployment\cache\6.0\30\50704d9e-6aa7732c (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\programdata\24502008.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
only someone desktop icons appeared back but not totally visible. Also the files and folders on my computer isn't totally visible. I have a lot file I didn't had before on my computer.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Hi,


  • Please download and run UnHide.exe by Grinler.
  • Double-click unhide.exe to run the program.
  • After running it, your files should reappear. Please let us know the result.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
MY desktop icons are all back to normal. I don't know, but I have a lot of files and folders in my local disk that I didn't had before the virus got to my computer. My local disk is filled with all kind of folders and files that some appeared that I deleted long time ago? So I guessing they came from the virus? Also why is there a lock on the folder called Documents and Settings? And it wouldn't let me open the folder. For some reason, my internet seem to be much slower too. Whenever I search something on google, it takes me to a different link.Then the link will always ask me if I want to install something that I didn't click anything to install.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Hi,

Let's see what this picks up

Please download ComboFix Windows Recovery Virus!!! Help needed to remove Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Just finished scan. I'm very tired, so I'm going to do this tomorrow. Just reply back and tell me what to do. And I'll do it tomorrow. Thanks!

ComboFix 11-05-21.03 - James 05/22/2011 23:44:07.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1690 [GMT -4:00]
Running from: c:\users\James\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\users\James\AppData\Local\TempDIR
c:\users\James\AppData\Roaming\3ulxy7893UL.exe
c:\users\James\AppData\Roaming\FFSJ
c:\users\James\AppData\Roaming\FFSJ\FFSJ.cfg
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 03:23 . 2011-04-30 03:23 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2011-04-26 23:02 . 2011-05-22 23:36 -------- d-----w- c:\program files\World of Warcraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:38 . 2011-04-12 20:08 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36 . 2011-04-12 20:08 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42 . 2011-04-12 20:08 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 04:48 . 2011-04-12 20:08 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 04:48 . 2011-04-12 20:08 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 04:47 . 2011-04-12 20:08 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 04:47 . 2011-04-12 20:08 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 04:47 . 2011-04-12 20:08 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 04:47 . 2011-04-12 20:08 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 04:47 . 2011-04-12 20:08 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-23 04:26 . 2011-02-23 03:33 811520 ----a-w- c:\windows\system32\user32.dll
2011-02-23 03:41 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2011-02-23 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-22 23:50:06
ComboFix-quarantined-files.txt 2011-05-23 03:50
.
Pre-Run: 182,745,776,128 bytes free
Post-Run: 182,437,625,856 bytes free
.
- - End Of File - - 04572B8B5B84C92A0130551006822D5E

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FCopy::
    c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll | c:\windows\System32\user32.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Windows Recovery Virus!!! Help needed to remove Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
I'm sorry for taking so long. I was busy today, but did what you told me to do.

10:14 PM 5/23/2011ComboFix 11-05-23.02 - James 05/23/2011 16:08:49.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.2204 [GMT -4:00]
Running from: c:\users\James\Downloads\ComboFix.exe
Command switches used :: c:\users\James\Downloads\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll --> c:\windows\System32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 20:12 . 2011-05-23 20:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-23 03:50 . 2011-05-23 20:12 -------- d-----w- c:\users\James\AppData\Local\temp
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 03:23 . 2011-04-30 03:23 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2011-04-26 23:02 . 2011-05-22 23:36 -------- d-----w- c:\program files\World of Warcraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:38 . 2011-04-12 20:08 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36 . 2011-04-12 20:08 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42 . 2011-04-12 20:08 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 04:48 . 2011-04-12 20:08 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 04:48 . 2011-04-12 20:08 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 04:47 . 2011-04-12 20:08 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 04:47 . 2011-04-12 20:08 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 04:47 . 2011-04-12 20:08 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 04:47 . 2011-04-12 20:08 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 04:47 . 2011-04-12 20:08 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-23 03:41 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-23 16:14:06
ComboFix-quarantined-files.txt 2011-05-23 20:14
ComboFix2.txt 2011-05-23 03:50
.
Pre-Run: 182,595,346,432 bytes free
Post-Run: 182,553,120,768 bytes free
.
- - End Of File - - 521666C6278B3F27898BD9E1FF013FA4

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Hi,

How are things running now?

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
nothing changed still same problems listed above.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Hi,

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6665

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

5/24/2011 4:06:42 PM
mbam-log-2011-05-24 (16-06-42).txt

Scan type: Quick scan
Objects scanned: 141339
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
The virus might of gone away. The problem is that my computer is filled with junks that I maybe deleted a long time ago and it came back? Junks like folders, files, and many other stuff on the computer making it really slow. I believe the virus caused this and that some folders I can't access. It says location is not available access is denied.

descriptionWindows Recovery Virus!!! Help needed to remove EmptyRe: Windows Recovery Virus!!! Help needed to remove

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum