HDD scanner, missing icons

Discussion in 'Malware Help (A Specialist Will Reply)' started by CButterfly, Oct 24, 2012.

  1. CButterfly

    CButterfly Private E-2

    My computer's desktop image disappeared, was replaced with a default black screen. Also, a warning window pops up on startup saying I'm experiencing hard drive issues. Several files/folders with most of the start menu programs are missing and all icons on the desktop were hidden except the recycle bin. Something disallowed some programs running, brought up lots of popups and prompted me to run their scan and sign up for a key to purchase the "protection" product. Suspecting this was malware, I ran the Read and Run Me scans.

    This first happened approx 3 weeks ago while surfing the internet on the admin account with internet explorer and I don't believe I have an active AV or firewall (not the smartest thing, I know...). The site I was on didn't look shady, I was on it for maybe half an hour before I turned away, came back and the IE browser looked like it had crashed, restarted and attempted to reopen my tabs, but failed. On top of the restarted IE was the HDD warning!/scan message with several dozens of related, identical error messages that cascaded covering the screen. The cascading would reappear a short time after being closed even if all were closed.


    All tools were run in Safe mode.
    Ran MgTools twice because I wasn't sure if it crashed the first time.

    Cannot find TDSS log, but I remember the scan couldn't find anything.
     

    Attached Files:

    CButterfly, Oct 24, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : nqJmDLLyhpVVQC.exe (C:\ProgramData\nqJmDLLyhpVVQC.exe) -> FOUND
      [RUN][SUSP PATH] HKCU\[...]\Run : VyITa0RLcQIVtP (C:\ProgramData\VyITa0RLcQIVtP.exe) -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2588888559-1651204999-2671971923-1000[...]\Run : nqJmDLLyhpVVQC.exe (C:\ProgramData\nqJmDLLyhpVVQC.exe) -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2588888559-1651204999-2671971923-1000[...]\Run : VyITa0RLcQIVtP (C:\ProgramData\VyITa0RLcQIVtP.exe) -> FOUND
      [TASK][SUSP PATH] {75FDFDB2-8FBD-423E-939E-0B232C13F3D2} : C:\Windows\System32\pcalua.exe -a C:\Users\Jazlyn\AppData\Local\Temp\Temp1_ATMF_V1.0.902.4263_SETUP_whqled[1].zip\ATMF_V1.0.902.4263_SETUP_whqled.exe -> FOUND
      [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
      [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
      [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
      [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
      [HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
      [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
      [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
      [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
      [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
      [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now re-run Hitman and have it fix what it finds.

    After a reboot, re-scan with both RogueKiller and Hitman and attach those logs as well.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Attach the new C:\MGLogs.zip
     
    TimW, Oct 24, 2012
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds