Bad Virus? Most Start Programs Empty & Missing Icons

We still need the following logs:
ComboFix
C:\MGLogs.zip --- From running the C:\MGTools.exe

 

Quite possibly it is due to not following the early instructions in the READ & RUN ME and also not following later instructions in the area of ComboFix and the other scanning tools.

The first instructions in the READ & RUN ME specified that you must not have multiple antivirus programs installed and you have both Avast and Microsoft Security Essentials installed. And later we stated that issues can arise with scanning tools including ComboFix and also sometimes MGtools if you do not disable protection software. You have all of your protection running when you ran MGtools and likely had them running when you tried to download ComboFix.

You must uninstall all but one antivirus, and in fact since you may have corrupted some things on your system by installing more than one, it would be best if you uninstall both of them now and then reboot. Do not reinstall yet. Then try to download and run ComboFix.


Also please attach the below log file since you appear to have run FixAttr.bat on your own.

C:\MGTools\FixAttr.txt

 

Oh and one more thing you need to run based on what I see in your logs to fix some broken file associations. Run the below by double clicking on it. It will run very quickly.

C:\MGtools\FixFa.bat


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

 

You're welcome.

Yes! You can read about it here: http://www.microsoft.com/security/pc-security/mse.aspx

And here: http://www.microsoft.com/security/resources/antivirus-whatis.aspx

It even warns you when installing it not to have another antivirus installed and it you have another one running, I believe it even tells you.

 

What are these and why are they in your documents:
C:\Documents and Settings\Jeff\My Documents\nhgfovgz.exe
C:\Documents and Settings\Jeff\My Documents\brt5f1mb.exe

If you don't know, delete them or add them to the file fix in combo.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\Jeff\2gweorjqjutp92vjy9gake
C:\Documents and Settings\Jeff\Local Settings\Application Data\6lr8qybjn13oh6xyp8ivrd2x86m5wp
C:\Documents and Settings\Jeff\Local Settings\Application Data\{B367BC18-DC5D-4F83-B828-2EB6704AAD81}
C:\Documents and Settings\All Users\Application Data\6lr8qybjn13oh6xyp8ivrd2x86m5wp
C:\Documents and Settings\All Users\Application Data\cP28276DgFjE28276
C:\Documents and Settings\Jeff\Templates\6lr8qybjn13oh6xyp8ivrd2x86m5wp
C:\WINDOWS\Ifuxexuri.dat
C:\WINDOWS\Ibitoza.bin

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner to clean out only temp files and nothing else! Make sure you clean out these folders:
C:\WINDOWS\Temp\
C:\Documents and Settings\Jeff\Local Settings\Temp\

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Did you run both of these that Chaslang asked you to run:
C:\MGtools\FixFa.bat
C:\MGTools\FixAttr.txt

I am not finding any other malware in your logs. But use windows explorer to find and delete:
C:\Documents and Settings\All Users\Application Data\cP28276DgFjE28276

If you are worried about your security, it might be best to restore using the partition drive. You would need to post in the software forum for advice on doing that.

The only thing I can suggest about the empty start programs is to right click each and choose properties. There you can re-enter the target for each. That is a real PITA, but if you have done the two fixes by Chaslang, it is all I can suggest. You can wait and see if Chaslang has some other suggestions when he logs in.

 

Tim meant FixAttr.bat for this second item to run. However we already know it was run because the FixAttr.txt log exists which we need to have attached.

But please do tell us whether you ran FixFA.bat

 

Yes it would not hurt.

You need to attach the requested FixAttr.txt log. Also I suggest re-running C:\MGtools\GetLogs.bat and attaching the new C:\MGlogs.zip file so we can see the effects of the FixFA.bat command.

 

Okay if you still have files/folders hidden, please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Then double click on the file to run it ( use right click and Run As Administrator if you are running Win 7 or Vista ).

 

It is unlikely you will be able to fix this easily. The only thing you may be able to do is reinstall various programs and create startup entries and program entries yourself since the problems caused by the malware cannot be fixed now since the shortcut were deleted. Unhide.exe would have restored them if possible.

You may want to try just creating a new user account, then login to the new user account. You may find that some items may appear in the new user account. The next alternative, would be as I said above, to reinstall all applications. Other alternative, reinstall Windows and all applications from scratch.

This is just from the desktop.ini file on your Desktop now.

 

Try doing this:

• Open Command Prompt. Click Start>Programs>Accessories>Command Prompt
• type the following command:
  • attrib -h ";C:\*.* /s /d
• Close Command Prompt by typing the following command:
  • exit

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

 

No, it didn't work. Let me do some more investigating and I will get back to you.

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  [I]smtmp[/I] *
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Please download RogueKiller.exe and save it to your desktop.

• Now quit all running programs.
• Double click RogueKiller.exe to run it.
• When prompted, type 1 and hit Enter.
• A RKreport.txt should appear on your desktop.
• Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
• Please post the contents of the RKreport.txt in your next Reply.

 

After doing what Kestrel asked you to do, try creating a new user account ( with Admin. privileges ) and tell me if that account works.

 

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

Code:

:folderfind
smtmp*

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

 

The only other idea I can suggest is that you try to do a system restore to before this happened. Let me know if you are able to do that.