Jump to content

Problems after clean MBAM


Recommended Posts

I successfully went thru the cleanup and repair (VS) instructions in the topic "Install Problems".

BUT, XP is still not as it should be in 2 respects:

1. Display - right click on the desktop and select properties brings up a familiar screen...BUT without the 'desktop' tab which controls the background picture for the desktop...

2. All system drives are now visible, C D E etc., but the C: drive has a red X to the left of it rather than the disk drive symbol.

How can I repair the above? Even if not malware caused i'd like to 'get back to normal' for XP.

1 Hijack and 3 MBAM logs are attached.

hijackthis_12_4_08.txt

mbam_log_2008_12_06__17_18_24_.txt

mbam_log_2008_12_05__13_11_26_.txt

mbam_log_2008_12_05__09_29_22_.txt

hijackthis_12_4_08.txt

mbam_log_2008_12_06__17_18_24_.txt

mbam_log_2008_12_05__13_11_26_.txt

mbam_log_2008_12_05__09_29_22_.txt

Link to post
Share on other sites

Hello Jim,

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

In a new reply, place all 4 of your reports from above "in-line" of the reply !!

Next, Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Do not go back to review these settings as the malware may reset it. Just keep moving forward with these steps.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Link to post
Share on other sites
  • 2 weeks later...
Hello Jim,

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

In a new reply, place all 4 of your reports from above "in-line" of the reply !!

Next, Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

  • Double-click FixPolicies.exe.

  • Click the "Install" button on the bottom toolbar of the box that will open.

  • The program will create a new Folder called FixPolicies.

  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.

  • A black box will briefly appear and then close.

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Do not go back to review these settings as the malware may reset it. Just keep moving forward with these steps.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

I've followed the instructions on one of my computers. I have others to check which I'll post later.

info.txt logfile of random's system information tool 1.04 2008-12-16 10:16:23

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

1&1 EasyLogin-->C:\Program Files\1&1\1&1 EasyLogin\Uninstall.exe

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Photoshop 5.5-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll"

Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}

AnswerWorks 5.0 English Runtime-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\setup.exe" -l0x9 -uninst -removeonly

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

AzureBay Screen Saver 3.5-->MsiExec.exe /X{958A793F-F1D2-4A90-B6A5-C52E2D74E8FE}

AzureBay Screen Saver-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\AzureBay\AzureBay Screen Saver\Uninst.isu"

Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}

Canon CanoScan Toolbox 4.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{088A077A-8028-408C-AE7B-4512AE2A65A0}\setup.exe" -l0x9 anything

CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}

Church Windows (F:\CW\)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{78D1001C-1EA9-4592-90F5-3507BC2EFBE0}\setup.exe" -l0x9 -removeonly

Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}

Core Center-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MSI\Core Center\Uninst.isu"

Debugging Tools for Windows (x86)-->MsiExec.exe /I{1CD0C3C5-809D-4CFC-904A-1B67C6243637}

Dell Printer Software Uninstall-->C:\Program Files\Dell_HostCD\Install\Uninstall.exe

Dolet Light for Finale 2004-->MsiExec.exe /X{512D0FB7-4104-46BA-BE72-3A1633E7946C}

DualCoreCenter-->"C:\Program Files\MSI\DualCoreCenter\unins000.exe"

DumbiTV 5.0.0-->f:\DumbiTV\unins000.exe

ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}

ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}

ESScore-->MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}

ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}

ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}

ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}

ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}

ESSSONIC-->MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}

ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}

essvatgt-->MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}

File Waster-->C:\WINDOWS\File Waster Uninstaller.exe

Finale 2004-->C:\WINDOWS\unvise32.exe f:\Finale 2004\uninstal.log

GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)-->C:\WINDOWS\SQL9_KB948109_ENU\Hotfix.exe /Uninstall

GetDataBack for NTFS-->"C:\Program Files\Runtime Software\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\Runtime Software\GetDataBack for NTFS\install.log" -u

GNU Privacy Guard-->"f:\GnuPG\uninst-gnupg.exe"

Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}

Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall

GPGee 1.4.0-BETA1-->F:\GnuPG\GPGee\uninst.exe

Greetings Workshop-->C:\Program Files\Greetings Workshop\SETUP\setup.exe

High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

HP Deskjet 3900 series-->C:\Program Files\HP\Digital Imaging\{3819891A-030B-4a4e-98ED-B28A649E48AB}\setup\hpzscr01.exe -datfile hpfscr05.dat

HP Image Zone Express-->MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}

HP Imaging Device Functions 5.0-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat

Indeo

Link to post
Share on other sites

This case is only for the original problem pc. If you have any other computer with an issue, open a separate topic.

Let's don't mix them all together.

=

Start your MBAM.

Click the Settings Tab. Make sure all option lines have a checkmark.

Click the Update tab. Press the "Check for Updates" button.

At this time, the current definitions are # 1504.

When done, click the Scanner tab.

Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.

=

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

=

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Reply with all reports from above, and, tell me, How is your system now ?

Lastly, kindly be prompt in responding and not to allow several days to pass.

I'll check in on you late, late this evening.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.