help

Hi, You have helped me through my problem computer and now I am hoping for help to fix my mother's computer. She has finderg in her internet search box. The normal internet explorer and google are no longer there. She has now lost her desktop icons as well. She has avira on her computer and that scan caught something...TR\Cosmu.avxp Trojan ( I have it quARANTINED) Here are the logs that I could get. More to follow in next

 

\\\\combofix did not work properly and i cannot find the log. It certainly did not take as long as it should although it claimed to be finished in a minute or two. I also cannot find the mglogs.zip. What should I do

 

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

Thanks..i somehow managed to get the mglogs zip. hope that is the right one

 

Please download Unhide by Grinler to your desktop.
Double-click unhide.exe to run it (Vista and Win7 right-click and select Run as administrator)

Are the desktop icons restored?
The rest of your logs look clean. Are you having any other issues besides the missing icons?

 

Still unable to see desktop icons. Other problem was that ie is not what it is supposed to be...google search is gone, toolbaars gone and always opens to finderg.com

 

I am not sure if it's malicious or not, it won't even load for me. I think it is related to Emule as that was recently installed (on the 4th).. and there are traces of Emule in your logs too. But if you want to get rid of it, complete the below:

Please download RogueKiller by Tigzy to your desktop.

• See the download links under this icon:
• Double-click RogueKiller.exe to run it. (Vista and Win7 right-click and select Run as Administrator)
• When it opens, press the number 6 and press ENTER.
  Note: This can take a while, please be patient.
• When finished, a report should appear.
• Attach RKreport[1].txt to your next message. (How to attach items to your post)
  Note: It will be at whichever location you ran RogueKiller from. I asked that you put it on your desktop, so it should be there.
• You can now type the number 0 and press ENTER to exit RogueKiller.

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:otl[/COLOR]
  IE - HKU\S-1-5-21-1734789778-497273847-975620610-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
  O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
  O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
  [COLOR="DarkRed"]:files[/COLOR]
  C:\Users\Norma\AppData\Local\eMule
  C:\ProgramData\eMule
  xcopy %temp%\smtmp\1 "%programdata%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%appdata%\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%programdata%\desktop" /s /i /h /y /c
  ipconfig /flushdns /c
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptyjava]
  [emptyflash]
  [resethosts]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Note: This will automatically update all the logs inside MGlogs.zip

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Hi, I will run these next week when I am back at this computer. I asked her if she had downloaded emule and she said her company did but it was a long time ago. I tried to uninstall it a few days ago. Also I dontj know if it is unrelated or not but her printer stopped printing too and it says it cant connect. I will get back to you next week. Noone is using the computer right now so hopefully it is okay to wait. Thanks for everything so far.

 

Ok, thanks for the heads up.

 

Hope thats good. will try mucking withe computer now to see how it is

 

I just restarted..still no desktop icons..... the finderg is gone from internet explorer and now it just goes to aol. Need to find google toolbar I guess.

 

Please download Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon:
• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  • Unhide Non-System Files
  • Remove Policies Set By Infections
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

 

Still no desktop icons showing. Am I missing soomething simple???

 

Right mouse click the desktop (wallpaper) > View > Show Desktop Icons ??

 

You are so brilliant!!! lol. All good now...what next?

 

:-D

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Thanks for all your help. the only problem I have now is when I try to run the defogger to renable it says that it cannot open file in the error message. Anything I can do about that???

 

I don't even see defogger.exe in your logs.
All I see is:

I would redownload DeFogger and run it again.

 

I will try it again although I just did it again and it didn't work. Maybe it never worked in the first place. I dont remember now. lol