Jump to content

Recommended Posts

Hello :)

Would really be grateful for your help.

I have been one, of many, infected with a Trojan. One of the messages reads: Failed to save all the components for the file System etc. The desktop goes black and I appear to lose my programmes, shortcuts.

Following one forum thread, I downloaded the Malware software today (ARO 2011) and also purchased it. I have run it a few times.

I am now at the stage where the problem is still there and when I go to start / programmes / ARO 2011 it says the folder is empty and I therefore cannot run this software now!

Also, I got the problem when logged into my profile. I am writing this from the effected laptop, but from my girlfriends profile logon. I have the desktop image, access to the internet, but most of the folders are "empty". I cannot run ARO 2011 from this logon either.

I have read other threads about downloading other software and capturing logs etc. I am reluctant to trust my technical skills now and was also hopeful that a more complete solution is available.

Looking forward to your response.

Thank you.

David

Link to post
Share on other sites

Thank you so much Mr C - I'm 95% back normal.

I have attached the two logs produced by OTL.

One problem that remains is that most of my folders for the Programs I have installed (Start -> All Programs) are empty. I have used the 'unhide' programme multiple times (and disabled all Anti-virus software) but with limited success.

Is there a solution to this please?

A further question please. I now have Malwarebytes Anti-Malware running as well as my existing McAfee software. Will there be any conflicts by running both of them?

Thank you.

David

Extras.TxtOTL.Txt

Link to post
Share on other sites

Can you take a look at these two files:

[2011/12/06 19:18:31 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Local\{A5A27EEA-D8E6-42AC-9DD5-4D2E1B38BE01}

[2011/12/06 19:18:20 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Local\{D064AD5A-A993-489B-AFA6-B0A43FCC5081}

If you don't recognize them, please upload them for a free virus scan at one of the sites below, let me know the results:

http://www.virustotal.com/

http://virusscan.jotti.org/en

---------------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKU\S-1-5-21-2652733806-224333056-582442980-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O4 - HKLM..\Run: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O18:[b]64bit:[/b] - Protocol\Filter\ica - No CLSID value found
    O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    File not found -- C:\ProgramData\wOM9H4HfIsIeOq
    File not found -- C:\Users\David\Desktop\exeHelper.com
    [2011/12/12 13:23:04 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
    [2011/12/12 13:23:04 | 000,000,673 | ---- | M] () -- C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    [2011/12/12 13:22:54 | 000,350,344 | ---- | M] () -- C:\ProgramData\wOM9H4HfIsIeOq.exe
    [2011/12/12 13:23:04 | 000,000,673 | ---- | C] () -- C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    [2011/12/12 13:22:54 | 000,350,344 | ---- | C] () -- C:\ProgramData\wOM9H4HfIsIeOq.exe


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

------------------------------------------

Here's all the notes on recovering the desktop, see if you can find a solution, most of the icons are in your temp folders.

Let me know.......MrC

--------------------------------------

As this infection hides the Windows desktop, we need to open up a window that allows us to see the icons.

If you are using Windows XP perform the following steps:

Click on the Start button and then click on the Run menu item. When the Run box opens, type %UserProfile%\desktop in the Open: field and then press Enter on your keyboard.

If you are in Windows Vista or Windows 7 perform the following steps.

Click on the Start button and type %UserProfile%\desktop in the Search field at the bottom of the start menu. Then press Enter on your keyboard.

in the Open: field and then press Enter on your keyboard.

http://www.bleepingcomputer.com/virus-removal/remove-security-tool

------------------------------------------------

In regards to the folders and desktop, if you open my computer, go to tools-folder options- youll be able to change the folder options so they arent hidden.

That will fix your folder and desktop issue. However, I havent been able to restore my start menu yet

http://www.bleepingcomputer.com/virus-removal/remove-security-tool

http://www.geekstogo.com/forum/topic/311014-system-fix-malware/

http://www.bleepingcomputer.com/forums/topic399676.html

After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp

(W7)- C:\Users\Username\AppData\Local\Temp

Example:

%Temp%\smtmp\1 "%AllUsersProfile%\Start Menu"

%Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch"

%Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"

%Temp%\smtmp\4 "%AllUsersProfile%\Desktop

Also look in C:\Windows\Temp

These will be there unless you have removed temp files / folders

There might be three numbered folders inside C:\Documents and Settings\Your User Name\Local Settings\Temp\smtmp folder. The folders will be numbered 1, 2 and 4.

Inside the 1 folder is a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder are the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder are the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

Also you can use this option With Windows 7 / Vista:

You can restore the Start menu to its original, default settings.

1.Open Taskbar and Start Menu Properties by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Taskbar and Start Menu.

2.Click the Start Menu tab, and then click Customize.

3.In the Customize Start Menu dialog box, click Use Default Settings, and then click OK.

Link to post
Share on other sites

Hello Mr C

Thanks again for your response.

Regarding these two files:

2011/12/06 19:18:31 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Local\{A5A27EEA-D8E6-42AC-9DD5-4D2E1B38BE01}

[2011/12/06 19:18:20 | 000,000,000 | ---D | C] -- C:\Users\David\AppData\Local\{D064AD5A-A993-489B-AFA6-B0A43FCC5081}

They appear to be empty folders and as such could not be uploaded for a virus scan.

Regarding the OTL Fix, here's the log:

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-2652733806-224333056-582442980-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Corel File Shell Monitor deleted successfully.

Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.

Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix folder moved successfully.

C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk moved successfully.

C:\ProgramData\wOM9H4HfIsIeOq.exe moved successfully.

File C:\Users\David\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk not found.

File C:\ProgramData\wOM9H4HfIsIeOq.exe not found.

OTL by OldTimer - Version 3.2.31.0 log created on 12142011_215607

I will get back to you regarding the other points in your email.

Thanks

David

Link to post
Share on other sites

Hi there

Sorry for the late reply. I've just had time to try working some solutions. Based on the links you have provided, whilst there wasn't one which provided the complete solution, it taught me the following:

* My shortcuts had been deleted with no obvious quick fix solution

* I found that my programs .exe files (and all other files relating to the software) were located at c:\Program Files (x86)\...

* I located the .exe file of the program I was missing a shortcut of

* Right clicked over the .exe file and selected 'Create Shortcut'

* This had to be saved to the Deskktop

* Copied the file on the desktop

* When to Start, righ clicked over "All Programs" and selected "Open All Users"

* I then pasted the shortcut into the relevant folder

Thanks for your help Mr C.

Link to post
Share on other sites

So you're all set??

If so....

Please update your Java, older versions are vulnerable to malware.

Java 6 Update 22 <-----should be 30

Go to your control panel > Java > update

------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Have a Good Holiday and New Year!

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.