Jump to content

Recommended Posts

I have run Malwarebytes and believe I have removed the infection. I also ran unhide.exe. This made the desktop and start menu items appear. The folders in the All Programs menu are all empty and the quick launch items are missing. Below is the DDS log file that was produced. Any help would be appreciated to the utmost.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Korporate Killer at 9:58:38 on 2011-11-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.784 [GMT -8:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe

C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

c:\Program Files\Zune\ZuneBusEnum.exe

C:\Program Files\TeamViewer\Version5\TeamViewer_Desktop.exe

c:\program files\teamviewer\version5\TeamViewer.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"

dPolicies-explorer: NoDesktop = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67

TCP: Interfaces\{EC38EF1A-5593-4775-A062-6381F3CEC6A0} : DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKsl9bf39ddd;MpKsl9bf39ddd;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c5e4ec08-1a6d-49ae-80d8-491e0ca96cbc}\MpKsl9bf39ddd.sys [2011-11-30 28752]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-9-5 393648]

R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-11-7 2002728]

S1 MpKsl09dcbb2c;MpKsl09dcbb2c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{882b2dfd-ac5a-4605-9e78-5e7ae664b038}\mpksl09dcbb2c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{882b2dfd-ac5a-4605-9e78-5e7ae664b038}\MpKsl09dcbb2c.sys [?]

S1 MpKsl1e995b88;MpKsl1e995b88;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{02dfda02-430a-40b8-979d-a8d961fbeb24}\mpksl1e995b88.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{02dfda02-430a-40b8-979d-a8d961fbeb24}\MpKsl1e995b88.sys [?]

S1 MpKsl33744b1b;MpKsl33744b1b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bda4c7c4-becd-4685-af81-4d00b73a7506}\mpksl33744b1b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bda4c7c4-becd-4685-af81-4d00b73a7506}\MpKsl33744b1b.sys [?]

S1 MpKsl3869de76;MpKsl3869de76;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c9b9b974-8bdd-455a-b192-67fffa739488}\mpksl3869de76.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c9b9b974-8bdd-455a-b192-67fffa739488}\MpKsl3869de76.sys [?]

S1 MpKsl3be41514;MpKsl3be41514;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9421d27c-5764-4407-8c4b-869aab89c5d7}\mpksl3be41514.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9421d27c-5764-4407-8c4b-869aab89c5d7}\MpKsl3be41514.sys [?]

S1 MpKsl4a0310c1;MpKsl4a0310c1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b03e8992-7b35-4f56-ac0f-6cd209efd19a}\mpksl4a0310c1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b03e8992-7b35-4f56-ac0f-6cd209efd19a}\MpKsl4a0310c1.sys [?]

S1 MpKsl6e604372;MpKsl6e604372;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d76b08d-ede2-49f1-a33d-79b38f6722de}\mpksl6e604372.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d76b08d-ede2-49f1-a33d-79b38f6722de}\MpKsl6e604372.sys [?]

S1 MpKsl728143ae;MpKsl728143ae;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c91f0b8-6abb-4221-9982-42a8137ab4d6}\mpksl728143ae.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c91f0b8-6abb-4221-9982-42a8137ab4d6}\MpKsl728143ae.sys [?]

S1 MpKsl907c73a2;MpKsl907c73a2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{882b2dfd-ac5a-4605-9e78-5e7ae664b038}\mpksl907c73a2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{882b2dfd-ac5a-4605-9e78-5e7ae664b038}\MpKsl907c73a2.sys [?]

S1 MpKsl975f60d3;MpKsl975f60d3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5ad741f5-0d33-43c4-9043-5e058ce943d5}\mpksl975f60d3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5ad741f5-0d33-43c4-9043-5e058ce943d5}\MpKsl975f60d3.sys [?]

S1 MpKsla43ce8ee;MpKsla43ce8ee;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d76b08d-ede2-49f1-a33d-79b38f6722de}\mpksla43ce8ee.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d76b08d-ede2-49f1-a33d-79b38f6722de}\MpKsla43ce8ee.sys [?]

S1 MpKslb2953963;MpKslb2953963;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9421d27c-5764-4407-8c4b-869aab89c5d7}\mpkslb2953963.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9421d27c-5764-4407-8c4b-869aab89c5d7}\MpKslb2953963.sys [?]

S1 MpKslc08d4718;MpKslc08d4718;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1c446ecc-c858-4be9-9b99-2b12bbc7ca11}\mpkslc08d4718.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1c446ecc-c858-4be9-9b99-2b12bbc7ca11}\MpKslc08d4718.sys [?]

S1 MpKsld56540f2;MpKsld56540f2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d76b08d-ede2-49f1-a33d-79b38f6722de}\mpksld56540f2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d76b08d-ede2-49f1-a33d-79b38f6722de}\MpKsld56540f2.sys [?]

S1 MpKsleff5ae69;MpKsleff5ae69;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{19035ffb-1a63-44be-9e42-ebe3efefbcce}\mpksleff5ae69.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{19035ffb-1a63-44be-9e42-ebe3efefbcce}\MpKsleff5ae69.sys [?]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-28 25112]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]

.

=============== Created Last 30 ================

.

2011-11-30 16:25:24 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c5e4ec08-1a6d-49ae-80d8-491e0ca96cbc}\MpKsl9bf39ddd.sys

2011-11-30 16:25:21 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c5e4ec08-1a6d-49ae-80d8-491e0ca96cbc}\offreg.dll

2011-11-30 10:23:18 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c5e4ec08-1a6d-49ae-80d8-491e0ca96cbc}\mpengine.dll

2011-11-30 03:14:12 -------- d-----w- c:\program files\ESET

2011-11-29 22:29:23 509374 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-11-24 23:07:05 7084 ----a-w- c:\windows\system32\0.29306186382992716.exe

.

==================== Find3M ====================

.

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 19:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 19:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 19:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 9:59:19.23 ===============

Link to post
Share on other sites

After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp

(W7)- C:\Users\Username\AppData\Local\Temp

C:\Windows\Temp

Example:

%Temp%\smtmp\1 "%AllUsersProfile%\Start Menu"

%Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch"

%Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"

%Temp%\smtmp\4 "%AllUsersProfile%\Desktop

These will be there unless you have removed temp files / folders

There might be three numbered folders inside C:\Documents and Settings\Your User Name\Local Settings\Temp\smtmp folder. The folders will be numbered 1, 2 and 4.

Inside the 1 folder is a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder are the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder are the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

Let me know if everything was there and how it's running now.

For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop

Also you can use this option With Windows 7 / Vista:

You can restore the Start menu to its original, default settings.

1.Open Taskbar and Start Menu Properties by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Taskbar and Start Menu.

2.Click the Start Menu tab, and then click Customize.

3.In the Customize Start Menu dialog box, click Use Default Settings, and then click OK.

Link to post
Share on other sites

After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp

(W7)- C:\Users\Username\AppData\Local\Temp

C:\Windows\Temp

Example:

%Temp%\smtmp\1 "%AllUsersProfile%\Start Menu"

%Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch"

%Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"

%Temp%\smtmp\4 "%AllUsersProfile%\Desktop

These will be there unless you have removed temp files / folders

There might be three numbered folders inside C:\Documents and Settings\Your User Name\Local Settings\Temp\smtmp folder. The folders will be numbered 1, 2 and 4.

Inside the 1 folder is a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder are the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder are the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

Let me know if everything was there and how it's running now.

For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop

Also you can use this option With Windows 7 / Vista:

You can restore the Start menu to its original, default settings.

1.Open Taskbar and Start Menu Properties by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Taskbar and Start Menu.

2.Click the Start Menu tab, and then click Customize.

3.In the Customize Start Menu dialog box, click Use Default Settings, and then click OK.

I am running Windows XP. Everything came back ok with the exception of the start menu items. The folders for the all programs menu came back but the are all empty of the shortcuts needed. The only two programs I have ran are Malwarebytes and the unhide so I am unsure where the shortcuts may be located. As per your response I have made sure not to run disk cleanup or delete any temp folders. If you have any further advice please let me know. This has been a great learning experience and although frustrating I am really enjoying working with the great people on this site.

Thanks

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.