windows xp trojan/hijacker

Discussion in 'Malware Help (A Specialist Will Reply)' started by henriksonj, Jul 23, 2012.

  1. henriksonj

    henriksonj Private E-2

    I've got a win xp machine that picked up a nasty trojan/hijacker today. Was hijacking the browser and not allowing access to windows explorer. I've run the programs in the sticky and malbytes found and deleted some problem files. The machine is still acting up so I thought I would post the log files and ask for your kind help.
    Many thanks.
    John H.
     

    Attached Files:

    henriksonj, Jul 23, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.
    • Next we will need to restore your shortcuts, so click on the ShortcutsFix button and allow the program to run.
    • Windows XP : Click on the Start button and then select Control Panel. When the Control Panel opens, please click on the Display icon. From this screen you can now change your Theme and desktop background.
    • If you are using Windows XP,go to My Computer → Tools tab → select Folder Options.
    • In the new window that appeared select the View tab and choose the option Show hidden files, folders, and drives then click Apply and OK.
    • This rogue software has moved your shorcuts in a folder in the Temporary Internet files called smtmp, so now we will need to copy them back to their original locations.
    • Windows XP users can find smtmp folder the in : C:\DOCUMENTS AND SETTINGS\[Your Username]\LOCAL SETTINGS\Temp
    • The smtmp folder will contain 4 folders and you’ll need to copy the content of this folders back to their original locations.


    These are the files and folders/shortcuts etc you need to restore:

    Code:
    The C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp folder exists                                                                              
Show all files in C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp                 
                                                                          
d-----w                 0 2012-07-24 00:21:58  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1
d-----w                 0 2012-07-24 01:14:36  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs
d-----w                 0 2012-07-24 01:14:36  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories
d-----w                 0 2012-07-24 00:22:24  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis
d-----w                 0 2012-07-24 00:22:28  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Action Replay DSi Code Manager
d-----w                 0 2012-07-24 00:22:36  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools
----a-w               796 2011-08-21 02:03:59  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Adobe Download Assistant.lnk
----a-w             2,347 2012-04-25 18:20:21  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Adobe Reader X.lnk
d-----w                 0 2012-07-24 00:22:38  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft
d-----w                 0 2012-07-24 00:22:41  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\APC
----a-w             1,830 2008-09-02 21:43:30  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Apple Software Update.lnk
----a-w               735 2010-11-14 18:48:41  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Audacity 1.3 Beta (Unicode).lnk
d-----w                 0 2012-07-24 00:22:42  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AviSynth 2.5
d-----w                 0 2012-07-24 00:22:42  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\BitTorrent
d-----w                 0 2012-07-24 00:22:42  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation
d-----w                 0 2012-07-24 00:22:44  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother
----a-w             1,585 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Remote Desktop Connection.lnk
d-----w                 0 2012-07-24 01:14:36  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Roxio
----a-w               710 2012-03-20 01:16:56  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Scanner and Camera Wizard.lnk
d-----w                 0 2012-07-24 01:14:36  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools
----a-w               790 2011-07-20 22:32:59  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Windows Movie Maker.lnk
d-----w                 0 2012-07-24 00:22:19  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Windows PowerShell
----a-w               879 2011-07-20 22:28:50  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPad.lnk
d-----w                 0 2012-07-24 00:22:24  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12
d-----w                 0 2012-07-24 00:22:06  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Roxio\DLA
----a-w               744 2006-09-01 11:24:41  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Roxio\DLA\DLA Help.lnk
----a-w             1,521 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Character Map.lnk
--sha-w               703 2011-07-20 22:34:55  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\desktop.ini
----a-w             1,532 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Disk Cleanup.lnk
----a-w             1,572 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Disk Defragmenter.lnk
----a-w             1,591 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
d-----w                 0 2012-07-24 00:22:09  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Modem Helper
d-----w                 0 2012-07-24 00:22:10  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\NETGEAR WG111v2 Adapter
d-----w                 0 2012-07-24 00:22:11  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\NetWaiting
----a-w             1,753 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Scheduled Tasks.lnk
----a-w             1,070 2011-07-20 22:32:55  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\System Information.lnk
----a-w             1,616 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\System Restore.lnk
d-----w                 0 2012-07-24 00:22:16  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7
----a-w             1,835 2006-07-09 18:39:59  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Windows Defender.lnk
----a-w             1,421 2006-04-26 14:15:03  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\Modem Helper\Modem Helper.lnk
----a-w             1,665 2006-04-29 15:03:04  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\NETGEAR WG111v2 Adapter\NETGEAR WG111v2 Smart Wizard.lnk
----a-w             1,947 2006-04-29 15:03:28  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\NETGEAR WG111v2 Adapter\Uninstall NETGEAR WG111v2 Smart Wizard.lnk
----a-w               469 2006-04-26 14:15:17  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\NetWaiting\NetWaiting Help.lnk
----a-w             1,576 2006-07-04 15:46:33  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\NetWaiting\NetWaiting.lnk
----a-w               667 2006-05-05 11:31:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\ReadMe.txt.lnk
----a-w               667 2006-05-05 11:31:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\UltimateZip Help.lnk
----a-w               667 2006-05-05 11:31:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\UltimateZip Quick Start.lnk
----a-w               660 2006-05-05 11:31:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\UltimateZip Self-Extractor.lnk
----a-w               655 2006-05-05 11:31:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\UltimateZip.lnk
----a-w               679 2006-05-05 11:31:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\Uninstall UltimateZip 2.7.lnk
----a-w                50 2002-09-27 06:50:46  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\System Tools\UltimateZip 2.7\Visit UltimateZip's Web Site.url
----a-w             2,011 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
----a-w             2,081 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
----a-w             2,449 2006-09-27 21:29:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Clipbook.lnk
----a-w             2,433 2007-05-05 22:55:20  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\PerfectExpert.lnk
----a-w             2,429 2006-08-19 18:44:53  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Quattro Pro.lnk
d-----w                 0 2012-07-24 00:22:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Technical Support
----a-w             2,447 2006-11-10 17:11:14  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\WordPerfect.lnk
----a-w             2,495 2006-08-19 18:43:20  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Technical Support\CARM Organizer.lnk
----a-w             2,673 2006-06-08 12:25:37  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Technical Support\Product Registration.lnk
----a-w             1,970 2006-04-26 14:19:37  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Technical Support\Technical Support Help.lnk
----a-w             2,525 2006-06-17 17:49:11  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Technical Support\Technical Support Online.lnk
----a-w             2,541 2006-05-14 02:10:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories\WordPerfect Office 12\Technical Support\User Manual (.PDF).lnk
d-----w                 0 2012-07-24 00:22:24  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis\Acronis True Image
----a-w               904 2012-01-23 00:25:35  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis\Acronis True Image\Acronis True Image WD*Edition.lnk
----a-w             1,157 2012-01-23 00:23:37  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis\Acronis True Image\Bootable Media Builder.lnk
----a-w               899 2009-11-25 22:38:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Action Replay DSi Code Manager\Action Replay DSi Code Manager.lnk
----a-w               812 2009-11-25 22:38:32  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Action Replay DSi Code Manager\Readme.lnk
----a-w               824 2009-11-25 22:38:33  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Action Replay DSi Code Manager\Uninstall.lnk
----a-w             1,582 2011-07-20 22:30:33  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Component Services.lnk
----a-w             1,602 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Computer Management.lnk
----a-w             1,596 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Data Sources (ODBC).lnk
--sha-w               476 2011-07-20 22:34:55  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\desktop.ini
----a-w             1,592 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Event Viewer.lnk
----a-w             1,011 2004-08-10 18:10:00  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Configuration.lnk
----a-w             1,062 2004-08-10 18:10:00  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Microsoft .NET Framework 1.1 Wizards.lnk
----a-w             1,591 2012-02-06 21:41:23  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Performance.lnk
----a-w             1,602 2012-02-06 21:41:24  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools\Services.lnk
d-----w                 0 2012-07-24 00:22:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft\Any Video Converter
----a-w               907 2011-07-27 03:17:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft\Any Video Converter\Any Video Converter on the Web.lnk
----a-w               907 2011-07-27 03:17:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft\Any Video Converter\Any Video Converter.lnk
----a-w               877 2011-07-27 03:17:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft\Any Video Converter\Uninstall Any Video Converter.lnk
----a-w             1,857 2010-11-26 19:50:27  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\APC\APC PowerChute Personal Edition.lnk
----a-w                49 2010-02-02 22:32:30  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AviSynth 2.5\AviSynth Online.url
----a-w                66 2010-02-02 22:32:30  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AviSynth 2.5\Download Plugins.url
----a-w               793 2010-02-20 20:08:05  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\BitTorrent\BitTorrent.lnk
----a-w               817 2010-02-20 20:08:05  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\BitTorrent\Uninstall.lnk
d-----w                 0 2012-07-24 00:22:44  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender
----a-w             1,763 2012-02-06 23:01:03  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender\Blender.lnk
----a-w             1,779 2012-02-06 23:01:03  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender\Copyright.lnk
----a-w             1,793 2012-02-06 23:01:03  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender\GPL-license.lnk
----a-w               865 2012-02-06 23:01:03  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender\Readme.lnk
----a-w             1,779 2012-02-06 23:01:03  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender\Uninstall.lnk
d-----w                 0 2012-07-24 00:22:48  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN
----a-w             1,778 2011-01-04 00:47:50  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\ControlCenter3.lnk
----a-w             1,710 2011-01-04 00:47:53  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Installation Diagnostics.lnk
----a-w                42 2011-01-04 00:47:55  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Network PhotoCapture Center.url
----a-w               102 2011-01-04 00:47:54  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\On-line help and FAQ's.url
----a-w             1,838 2011-01-04 00:47:49  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\On-Line Registration.lnk
d-----w                 0 2012-07-24 00:22:46  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Receiving
d-----w                 0 2012-07-24 00:22:46  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Sending
----a-w             1,682 2011-01-04 00:47:45  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Read Me.lnk
----a-w             1,722 2011-01-04 00:47:43  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Remote Setup.lnk
d-----w                 0 2012-07-24 00:22:48  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Scanner Settings
----a-w             1,774 2011-01-04 00:47:51  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Status Monitor.lnk
----a-w             1,737 2011-01-04 00:47:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Receiving\How to use PC-FAX Receiving.lnk
----a-w             1,705 2011-01-04 00:47:42  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Receiving\Receive.lnk
----a-w             1,691 2011-01-04 00:47:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Sending\Address Book Converter.lnk
----a-w             1,751 2011-01-04 00:47:39  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Sending\How to use PC-FAX Sending.lnk
----a-w             1,708 2011-01-04 00:47:39  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Sending\PC-FAX Address Book.lnk
----a-w             1,691 2011-01-04 00:47:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\PC-FAX Sending\PC-FAX Setup.lnk
----a-w             1,688 2011-01-04 00:47:47  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Scanner Settings\Scanner Utility.lnk
----a-w             1,688 2011-01-04 00:47:47  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother\MFC-665CW LAN\Scanner Settings\Scanner Utility.txt.lnk
    Also run this tool:


    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Reboot, and now do this: Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jul 25, 2012
    #2
  3. henriksonj

    henriksonj Private E-2

    Things seem to be running well. I"m not sure that I copied all those files links quite correctly but they are all there.. I've attached the MGlog.zip file to this message.
    Many thanks for your invaluable assistance!

    John h.
     

    Attached Files:

    henriksonj, Jul 25, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The items I listed in the big code box, you say are all back to their original location? The MGlogs.zip does not reflect this. You are all is running well now?
     
    Kestrel13!, Jul 26, 2012
    #4
  5. henriksonj

    henriksonj Private E-2

    No - they weren't all back - when I did a cut and paste it didn't put them in the correct locations - they should be now. I've attached a new MGlog.zip file. I still had a browser redirect this AM and Microsoft security essentials flagged a file -Trojan Win32/FAkeSysdef - I deleted it..

    thank you!
    John H.
     

    Attached Files:

    henriksonj, Jul 26, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    There are still some items need restoring: Try again.

    Show all files in C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp

    Code:
    d-----w                 0 2012-07-24 00:21:58  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1
d-----w                 0 2012-07-26 12:14:33  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs
d-----w                 0 2012-07-26 12:05:22  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Accessories
d-----w                 0 2012-07-26 12:06:18  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis
d-----w                 0 2012-07-26 12:09:10  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Action Replay DSi Code Manager
d-----w                 0 2012-07-26 12:09:40  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Administrative Tools
d-----w                 0 2012-07-24 00:22:38  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft
d-----w                 0 2012-07-26 12:10:33  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\APC
d-----w                 0 2012-07-26 12:10:59  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AviSynth 2.5
d-----w                 0 2012-07-26 12:11:22  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\BitTorrent
d-----w                 0 2012-07-24 00:22:42  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation
d-----w                 0 2012-07-26 12:13:56  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Brother
d-----w                 0 2012-07-26 12:07:44  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis\Acronis True Image
----a-w               904 2012-01-23 00:25:35  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis\Acronis True Image\Acronis True Image WD*Edition.lnk
----a-w             1,157 2012-01-23 00:23:37  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Acronis\Acronis True Image\Bootable Media Builder.lnk
d-----w                 0 2012-07-26 12:10:09  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\AnvSoft\Any Video Converter
d-----w                 0 2012-07-26 12:11:46  C:\Documents and Settings\Dad\Local Settings\TEMP\smtmp\1\Programs\Blender Foundation\Blender
    What is inside of this folder? C:\Documents and Settings\Dad\Application Data\Toolbar4 <---- Is it google related or not?

    Delete these files:

    C:\Documents and Settings\All Users\Application Data\GF1K8K3ybEL8Mu
    C:\WINDOWS\pchealth\helpctr\binaries\SET1C03.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET5CB.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET6D8.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET734.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET920.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\pchsvc(3).dll
    C:\WINDOWS\pchealth\helpctr\binaries\pchsvc(4).dll

    Uninstall this: Search Settings v1.2.3

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jul 26, 2012
    #6
  7. henriksonj

    henriksonj Private E-2

    Those were empty directories - I had moved the files, removed the directories now. I haven't noticed more problems since the virus scanner found that one fakesysdef trojan this morning. Removed those other files.
    I've attached the Mlogs.. thank you!!!
     

    Attached Files:

    henriksonj, Jul 26, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are welcome. ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jul 27, 2012
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds