Need help removing a virus

I seem to have gotten a virus that is making all of my programs (Microsoft Office, All Adobe programs, pretty much everything) invisible. I can see the programs in the control panel but I cannot access the programs. I ran the standard malware removal from this site and I have the logs from combofix and mgtools attached. Please help.

 

Hi and welcome to Major Geeks, nmakara!

Please also attach the logs from running the scans with MalwareByte's Anti-Malware and SUPERAntiSpyware.

 

Ok. Here they are.

 

Hi,

I am not finding any malware in your logs and do not think this is a malware related problem.

Try this,

Locate the following file:

C:\Users\Nadia\Desktop\ewbtasks(1).xlsx

• Double-click it with your left-mouse clicker.
• What happens when you do this? Did Excel open up?
• If not, what error message did you receive?

Do the same thing with:

C:\Users\Nadia\Desktop\PLZT ceramic.pdf

• Does Adobe Reader open?
• If not, what error message did you receive?

 

Yes. Excel opens and Microsoft office opens.

My only issue is that the shortcuts from my start menu disappeared and accessing programs like Microsoft Word, Adobe photoshop, Autodesk, etc. are not opening via C:\Program Files.

I tried using unhide.exe but I don't have the %Temp%\smtmp folder to replace the files into the start menu.

All of this happened after I downloaded a plugin called Codec-C.exe to use a media player.

 

Correct, I can see this in your MGlogs as well.

I am reviewing some other threads with this "Codec C" malware. This appears to be something new.

There may be a different folder where the missing shortcuts are stored (other than %temp%\smtmp)

DO NOT run any type of temporary file cleaner.

I will post back when I have more information on how to resolve this.

I see Codec-C is still installed. Are you able to uninstall it via Programs and Features?

Let me know please

 

Here is something I would like you to try in the meantime. This may reveal where the new hiding location is for your shortcuts.

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook here: SystemLook (64-bit)

• Double-click SystemLook_x64.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:filefind[/COLOR]
*.lnk

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

Here is the result

 

I've got another search I'd like you to perform:

http://img707.imageshack.us/img707/6703/generalxpicon.gif Search using SystemLook_x64.exe.

• Double-click SystemLook_x64.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:dir[/COLOR]
C:\codec-info /s
C:\ProgramData\Premium /s
C:\ProgramData\Codec-C /s
C:\ProgramData\InstallMate /s
C:\Users\Nadia\AppData\Local\Temp /s
C:\Windows\TEMP /s
[COLOR="DarkRed"]:filefind[/COLOR]
*codec*
[COLOR="DarkRed"]:folderfind[/COLOR]
*office*
*adobe*
*word*
*codec*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

Here it is. Btw, the Codec-C.exe refuses to uninstall...

 

What exactly happens when you try uninstall Codec-C?

I see the traces of Codec-C in your logs but removing them will not restore your shortcuts.

You can ignore the below, I'm just posting some information for my own reference.
_______________________________________________________________
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}]
"DisplayName"="Codec-C"
"DisplayVersion"=""
"Publisher"="Codec-C"
"URLInfoAbout"="hxxp://allpremiumplay.info"
"DisplayIcon"="C:\\ProgramData\\Codec-C\\uninstall.exe"
"UninstallString"="C:\\ProgramData\\Codec-C\\uninstall.exe -path=C:\\ProgramData\\Codec-C"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001

http://www.threatexpert.com/report.aspx?md5=4c07ef11be78914c5b76ebf285fec442

 

Nothing happens. The computer doesn't respond to me trying to run the uninstall.exe or to me uninstalling it via control panel. What could be the cause?

Besides that, did you figure out anything about my shortcuts?

 

I'm not sure. I did not have trouble uninstalling it.

Yes, unfortunately it looks like most of them are gone. At least the ones you mentioned (Adobe programs, office)

I can help you with removing all the traces of Codec-C but you will have to re-add the shortcuts on your own.

My next post will have instructions for removing Codec-C.

 

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[/COLOR]
C:\ProgramData\Codec-C\background.html
C:\ProgramData\Codec-C\bhoclass.dll
C:\ProgramData\Codec-C\content.js
C:\ProgramData\Codec-C\hjakmojkcnhgipgkkbiempkfdndcnlah.crx
C:\ProgramData\Codec-C\settings.ini
C:\ProgramData\Codec-C\uninstall.exe
C:\ProgramData\Codec-C\data\content.js
C:\ProgramData\Codec-C\data\jsondb.js
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\0.ini
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\20120324005102.log
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\20120324005322.log
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.dat
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.exe
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.ico
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\TsuDll.dll
C:\ProgramData\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\_Setupx.dll
C:\settings.ini
C:\Users\Nadia\AppData\Local\Temp\~nsu.tmp\Au_.exe
[COLOR="DarkRed"]File::[/COLOR]
C:\cybdefauth_i.log
C:\CybDefInstallInfo.log
C:\CybDefWebInstaller.log
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Users\All Users\Codec-C
c:\programdata\Premium
c:\programdata\Codec-C
C:\codec-info
c:\programdata\InstallMate
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D5078155-A2FB-4961-B0FB-7F94B337F726}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5078155-A2FB-4961-B0FB-7F94B337F726}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here is the combofix log.

Also, how should I go about manually replacing the shortcuts to my start menu?

 

You skipped a step:

Do this so I can review the latest logs and I will be able to answer your question later today.

 

Sorry. Here it is.

 

Delete this file:

• C:\settings.ini

http://img189.imageshack.us/img189/2827/unhide.gif You may want to see if this helps: win7-x64-sm-reset.exe
It should restore the default start menu

__

For the rest of the shortcuts that were lost, you will have to manually readd by going through C:\Program Files (x86) and C:\Program Files to find and create shortcuts (Right mouse click the appropriate .exe that launches the application and choose "Create shortcut"), then cut/paste it to the desktop and/or C:\ProgramData\Start Menu\Programs.

Typically this folder is locked so you will have to grant permissions so you can access it.

You can use something like this if you are not comfortable doing it from Windows Properties -> Security tab.

http://img97.imageshack.us/img97/3342/grantperms.gif Please download GrantPerms64 by Farbar

Open GrantPerms64.zip and extract GrantPerms64.exe to your desktop.
Run GrantPerms.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
Copy the text in the code box below and paste it into the text-field available.

Code:

C:\ProgramData\Start Menu\Programs

Now click the "Unlock" button.
Click the "OK" button when you see "Unlock operation completed".
You should be able to open the folder now through explorer which should make it much easier to transfer the shortcuts of your choosing.

___

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thank you. I will try it and get back to you.

 

Ok, no problem