Chelsea1

Nothing found although I deselected temp files and system restore points as instructed in the post you linked. I also wasn't sure whether or not to run it in Enhanced Protection Mode or not so I just went with standard mode. Let me know if I should do another scan differently.

It is weird for a legit program to hide files, is it not?

http://www.drwebhk.com/en/virus_techinfo/Trojan.AVKill.28808.html Don't know how legit that site is though, admittedly. When you search "AdobeARM.exe", "virus" is one of the first suggested results so I guess that's what made me think so too.

So, the hidden files I posted a screenshot of, which are no longer present, they were definitely part of AdobeARM.exe? I'm a little confused because if you search "AdobeARM.exe virus" online there are supposedly trojans/rootkits that masquerade as that file? Also, why were they hidden, is it normal for legitimate files and folders to hide themselves in the temp folder?

18:07:04.0013 6016 TDSS rootkit removing tool 2.8.18.0 Jun 10 2013 21:44:19 18:07:04.0548 6016 ============================================================ 18:07:04.0548 6016 Current date / time: 2013/06/17 18:07:04.0548 18:07:04.0548 6016 SystemInfo: 18:07:04.0548 6016 18:07:04.0548 6016 OS Version: 6.0.6001 ServicePack: 1.0 18:07:04.0549 6016 Product type: Workstation 18:07:04.0549 6016 ComputerName: Chelsealaptop 18:07:04.0549 6016 UserName: Chelsea 18:07:04.0549 6016 Windows directory: C:\Windows 18:07:04.0549 6016 System windows directory: C:\Windows 18:07:04.0549 6016 Processor architecture: Intel x86 18:07:04.0549 6016 Number of processors: 2 18:07:04.0549 6016 Page size: 0x1000 18:07:04.0549 6016 Boot type: Normal boot 18:07:04.0549 6016 ============================================================ 18:07:06.0503 6016 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x5F01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050 18:07:06.0531 6016 ============================================================ 18:07:06.0531 6016 \Device\Harddisk0\DR0: 18:07:06.0535 6016 MBR partitions: 18:07:06.0535 6016 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xE06800, BlocksNum 0x166981B0 18:07:06.0535 6016 ============================================================ 18:07:06.0675 6016 C: <-> \Device\Harddisk0\DR0\Partition1 18:07:06.0675 6016 ============================================================ 18:07:06.0675 6016 Initialize success 18:07:06.0675 6016 ============================================================ 18:07:20.0940 5136 Deinitialize success Larger file: TDSSKiller.2.8.18.0_17.06.2013_18.09.54_log.txt

Do you think the disappearing temp items were caused by a rootkit or was it the legitimate Adobe application? I'm not sure if I should reformat or assume everything is OK now?

RogueKiller V8.6.1 [Jun 17 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version Started in : Normal mode User : Chelsea [Admin rights] Mode : Scan -- Date : 06/17/2013 16:14:20 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST9200827AS +++++ --- User --- [MBR] ca8f4acf427b9a5179b6495c99f3918a [bSP] b1ce451f07c050be20538bc63df273f9 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7180 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 14706688 | Size: 183600 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_06172013_161420.txt >> RKreport[0]_S_06162013_032557.txt I downloaded the newer version of RogueKiller and it seems to have found one new registry item, could you interpret these logs please?

OK, managed to find AdobeARM.exe in msconfig, it was named as another Adobe product. I disabled it and rebooted, the AdobeARM.log file in the temp folder didn't update on startup and the process/service is no longer running in WTM. However, in my temp folder now I have two newly created temp folders called Adobe and lilo.1848?

Rebooted twice now and each time In stop the process and the associated service on startup it is there again along with an updated AdobeARM.exe folder.

I restarted WTM and was able to stop it. Going to reboot now.

It says access is denied?!

I couldn't find AdobeARM.exe listed in msconfig, only other Adobe software, however it is listed in Windows Task Manager as both a process and a service, can I stop it from there or will it only disable it until the next reboot not permanently?

I rebooted again and managed to get a screen shot before they disappeared, not sure if this is any use but it's the files starting with "cyai59gv...". CropperCapture57.bmp

Rebooted again and unfortunately they're still there, there's about five of them and one is listed as an Application Extension and when I click on properties it disappears within seconds and I only can view the properties of the general Temp folder.

Sorry for the double post, thought it didn't go through the first time.