Scareware/files missing

Hello. I recently got scareware (I think data restore). I started my computer in safe mode and installed malwarebyte Anti-Malware to remove the problem—the scan results came up with 4 threats. I removed them rebooted my computer and I was surprised to see no icons or files on my computer. So I did a system restore and it brought them back, but the programs like music files are not in the folders (the display when you select show hidden files) . My computer has been slow and also, google redirects sometimes to other sites (I cleared cookies in Java, Internet Explorer and Firefox and I did a flush) . Any help would be appreciated in removing the problem and getting files back to normal.

I attached all logs,but ComboFix because it hangs at "Scanning for infected files..."

 

I am running Windows XP

 

Hi, OTHFan

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Ask Toolbar
• Java(TM) 6 Update 21
• Java(TM) 6 Update 7

Are these tasks you created?

Please download RogueKiller by Tigzy to your desktop.

• See the download links under this icon:
• Double-click RogueKiller.exe to run it. (Vista and Win7 right-click and select Run as Administrator)
• When it opens, press the number 6 and press ENTER.
• A report should appear.
• Attach RKreport[1].txt to your next message. (How to attach items to your post)
  Note: It will be at whichever location you ran RogueKiller from. I asked that you put it on your desktop, so it should be there.
• You can now type the number 0 and press ENTER to exit RogueKiller.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  C:\Documents and Settings\User-0\Local Settings\Application Data\2i873h68bh1v04b31ta2hhc25
  C:\Documents and Settings\User-0\Templates\2i873h68bh1v04b31ta2hhc25
  C:\Documents and Settings\User-0\Local Settings\Application Data\AskToolbar
  C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
  C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
  C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
  C:\$AVG
  C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "uTorrent"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
  "AvgUninstallURL"=-
  [HKEY_USERS\S-1-5-21-1844237615-412668190-725345543-1003\Software\Microsoft\Windows\CurrentVersion\run]
  "uTorrent"=-
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG9_TRAY]
  [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}]
  [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C458CE28-F7D0-48EA-9D21-3D16394F13F0}]
  [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C7576B9D-B442-46bc-AF74-080A9E723E01}]
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptyjava]
  [emptyflash]
  [resethosts]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Note: This will automatically update all the logs inside MGlogs.zip

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I forgot to mention this, but I need you to put your system in Normal Startup. Please read the instructions to do this: Use MSconfig to setup for Normal Startup Mode

Once you do the above, rerun C:\MGtools\GetLogs.bat and attach the new c:\MGlogs.zip

 

Thanks for your Help.
I have updated Java and I have attached all the logs. I used unhide.exe to get my files visible again. I have been also hearing random noises and commercials from my speakers at times, even when the internet is not open and no music is playing.

 

I need an answer for this question I asked.

They may be guilty for the random noises. I just want to check with you before I delete them.

 

I'm sorry, but I have no clue what they are.

 

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:files[/COLOR]
  C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
  C:\WINDOWS\Tasks\ConfigExec.job
  C:\WINDOWS\Tasks\DataUpload.job
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [resethosts]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

Let me know if how the PC is running after you have completed these steps.

 

Here are the logs

 

These logs look good. Are you experiencing any malware related problems?

 

Sorry it has take so long getting back to you, but I have been very busy. The computer is working great and no issues. Thanks again for your help.

 

It's not a problem... and I'm glad to hear the computer is operating well now :cool

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!