System Fix virus for Windows 7

I have completed all of the steps in the Read and Run me first thread and it seems to have gotten rid of the problem. I was just wondering if someone could maybe take a look at the logs or if you know of anything else I should do to make sure everything is gone off of my system.

Thank you so much!
Christina

 

Hi and welcome to Major Geeks, Christina!

From Programs and Features (via Control Panel), please uninstall the below:

• Coupon Printer for Windows <-- not recommended
• Java(TM) 6 Update 29 <-- outdated

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\sams\AppData\Roaming\Mozilla\Firefox\Profiles\kbwsh8ki.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
[COLOR="DarkRed"]File::[/COLOR]
C:\mbam-setup-1.51.2.1300.exe
C:\ProgramData\ndxFPUsQyDzBPn
C:\ProgramData\~ndxFPUsQyDzBPn
C:\ProgramData\~ndxFPUsQyDzBPnr
C:\Users\sams\Local Settings\TEMP\2_m+Wgd5.rar.part
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Users\sams\AppData\Local\{10EF8CB1-E4A1-461D-82FC-E89908A2F6B6}
C:\Users\sams\AppData\Local\{192AC37B-1740-409F-A109-B3752A2E1F7F}
C:\Users\sams\AppData\Local\{329044DA-8F1A-4063-8B99-99D453D5F174}
C:\Users\sams\AppData\Local\{36CBB122-D6E6-4DF4-BD2B-97E1CAE42CCB}
C:\Users\sams\AppData\Local\{381FD0C4-C157-4B48-B9ED-A6112A2A93D4}
C:\Users\sams\AppData\Local\{48D4CCDE-DC24-491D-BFB5-2CE8544BECC0}
C:\Users\sams\AppData\Local\{4947EFF2-EF70-412C-805D-F289CB95FF66}
C:\Users\sams\AppData\Local\{534A8D39-8017-47F6-B7AD-986BD64428BF}
C:\Users\sams\AppData\Local\{5CFB0C8F-D5B6-40E7-927A-4E43977D180E}
C:\Users\sams\AppData\Local\{6055B42D-36C0-4FF4-A4AD-B5ED4ED52FCD}
C:\Users\sams\AppData\Local\{80CD7065-059A-4C74-BCD0-9CDC4817B60A}
C:\Users\sams\AppData\Local\{879487F1-FCA6-41CE-AD19-DFF3516DD8C7}
C:\Users\sams\AppData\Local\{8A537EC7-7A17-4E4A-B774-E117B6D509EF}
C:\Users\sams\AppData\Local\{927F980B-028A-4B91-8111-1D7CBDD26DA4}
C:\Users\sams\AppData\Local\{93FCFCA0-484A-43DC-9880-2D19C4F45910}
C:\Users\sams\AppData\Local\{978F6717-6A03-4EA6-967D-C989A0E8D546}
C:\Users\sams\AppData\Local\{AA4EA6D7-224B-465E-AA81-3C73B1DAF750}
C:\Users\sams\AppData\Local\{AC2437A9-FC0D-4DF3-8F3E-54D63C704700}
C:\Users\sams\AppData\Local\{B7D3292F-DA68-4BB8-BFC3-E656A30307EA}
C:\Users\sams\AppData\Local\{C21DF838-0F1B-4F80-ADAB-32CAE580C237}
C:\Users\sams\AppData\Local\{C432EC8B-790F-4722-870F-978D8F40A96F}
C:\Users\sams\AppData\Local\{C450737C-08A8-4E8F-A7F1-EE8794264D03}
C:\Users\sams\AppData\Local\{C99EBAA0-C8B7-4D7F-AE93-AEE899D7315B}
C:\Users\sams\AppData\Local\{CA46AE3F-E412-4913-974F-123FFF249A3E}
C:\Users\sams\AppData\Local\{CAA2D03E-2291-4401-B3A5-3D9035BEB757}
C:\Users\sams\AppData\Local\{E107830D-F7CA-4663-B830-26D98895353F}
C:\Users\sams\AppData\Local\{E1D96F51-11E4-4D02-8102-E6E3AA39F6B8}
C:\Users\sams\AppData\Local\{F5A19224-1080-4EBB-BB4E-B345C70CDEC2}
C:\Users\sams\AppData\Local\{FAE5D64D-591E-4BBC-9A6D-547BD5C6671D}
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-4106557333-100675689-1316944410-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-4106557333-100675689-1316944410-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{7DE5D229-50D8-4086-9537-692699897B8B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7DE5D229-50D8-4086-9537-692699897B8B}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

I want you to read and follow these instructions: TDSSKiller - How to run


Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach that file to your next message. (How to attach)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know if you are missing desktop/start menu/quick launch icons.
Also let me know how the PC is running after you have run the above steps.

 

Hi! Thanks for the welcome and the help! As far as I can tell it is working normally except for the programs that are normally on the left side of the start menu are missing. I'm attaching a pic of that as well as the logs you requested.

 

And here is the start menu.

 

This may fix it.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]DeQuarantine::[/COLOR]
C:\QooBox\Quarantine\C\Users\sams\AppData\Local\Temp\smtmp
[COLOR="DarkRed"]Quit::[/COLOR]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\DeQuarantine.txt
Attach this log to your next message. (How to attach)

Please download RogueKiller by Tigzy to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the number "6" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[1].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.