Jump to content

Recommended Posts

4 days ago MCAfee found and removed a trojan from my pc

Then a different popup (not McAfee) about trojan_BNK.win32kelogger.gen

after that Win 7 Total Security was automatically poping up.

Then Windows Recovery.

I first downloaded and ran Stopzilla. but the popups continued

Then spybot, but most of my personal files were still missing

Then Malwarebytes, according to the instructions at bleepingcomputer.com/virus-removal/remove-windows-recovery

after that unhide.exe

then spydoctor which found adware, all with low danger, but I removed them anyway.

The virusses seem to be gone, but:

- several folders remain locked: douments and settings, and MSO Cache, and a number of subfolders from my userdata (one of the locked subfolders is 'menu start'. When trying to enter them, I get an access denied message.

- in the start menu, under 'all programs', the programs are still listed, but the links to start them are gone.

How can I make these folders accessible again, and fix the menu?

I have tried to change the authority in the properties of these folders, but the same 'access denied' message pops up.

I ran the programs defogger, dds and GMER, but can't zip the files, I have them in full or as .rar files.

I include the last two logs of Malwarebytes, the last the pc seemed clean, the previous I think it found and removed the virus/trojans.

DDS.txt:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by x at 13:30:42,79 on ma 16-05-2011

Internet Explorer: 9.0.8112.16421

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.31.1043.18.3063.1798 [GMT 2:00]

.

AV: McAfee Antivirus en antispyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

SP: McAfee Antivirus en antispyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Windows\system32\mfevtps.exe

C:\Windows\system32\PSIService.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Xobni\XobniService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\x\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://mail.yahoo.com/

uDefault_Page_URL = hxxp://www.aldi.com/

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110214134503.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [aGxoSBhalgOAPeG] c:\programdata\aGxoSBhalgOAPeG.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\eigen programmas\malwarebytes\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware (reboot)] "d:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\users\x\appdata\roaming\micros~1\windows\startm~1\programs\startup\marktp~1.lnk - c:\eigen programmas\marktplaats\marktplaats zoekassistent\Marktplaats.exe

StartupFolder: c:\users\x\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000

IE: {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/1346-72745-17534-1/4

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: reaal.nl\www

DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\eigen programmas\eudora voor xp\EuShlExt.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-8-24 263888]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-5-14 338880]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-5-14 51984]

R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-5-14 69392]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-4-23 64304]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-2-14 164840]

R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2011-5-14 233976]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2009-10-30 13336]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-14 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-14 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-14 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-14 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-14 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-14 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-14 141792]

R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2010-1-28 50176]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-14 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-14 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-14 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-14 313288]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-10-30 66592]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-10-30 189440]

R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2009-10-30 579072]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-5-14 33552]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-13 1153368]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2011-3-5 69120]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-14 84264]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-2-8 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-2-8 40552]

S3 sdAuxService;PC Tools Auxiliary Service;c:\eigen programmas\malwarebytes\spyware pctools\spyware doctor\pctsAuxs.exe [2011-5-14 371472]

S3 sdCoreService;PC Tools Security Service;c:\eigen programmas\malwarebytes\spyware pctools\spyware doctor\pctsSvc.exe [2011-5-14 1117144]

S3 ThreatFire;ThreatFire;c:\eigen programmas\malwarebytes\spyware pctools\spyware doctor\tfengine\tfservice.exe service --> c:\eigen programmas\malwarebytes\spyware pctools\spyware doctor\tfengine\TFService.exe service [?]

S3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-30 1343400]

.

=============== Created Last 30 ================

.

2011-05-16 11:06:52 -------- d-----w- c:\users\x\appdata\local\{EBDEB1D4-ED55-46FE-A7A0-93D59C0EAAEA}

2011-05-15 22:07:47 -------- d-----w- c:\users\x\appdata\local\{0C107548-2F2F-4120-9B6A-B0ACA5E5AD80}

2011-05-15 09:44:04 -------- d-----w- c:\users\x\appdata\local\{5B8B7A2B-F185-4D3D-8ED9-CBAD08DFC967}

2011-05-14 11:33:20 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys

2011-05-14 11:33:20 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys

2011-05-14 11:33:19 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys

2011-05-14 11:32:25 -------- d-----w- c:\users\x\appdata\local\{29E2543C-31EF-4EE8-AC99-3F38FCF0D6E9}

2011-05-13 22:26:46 -------- d-----w- c:\users\x\appdata\local\{B3B558C1-429C-4177-BA3E-E74E22B0C897}

2011-05-13 22:10:58 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2011-05-13 22:10:58 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys

2011-05-13 22:10:56 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2011-05-13 21:19:21 -------- d-----w- c:\users\x\appdata\local\{6F704987-C763-4E58-986C-CE0E97EF88B6}

2011-05-13 19:32:06 -------- d-----w- c:\users\x\appdata\local\{413985BE-63B6-41AF-A4FE-6803A53863F9}

2011-05-13 12:30:42 -------- d-----w- c:\users\x\appdata\local\{3090749F-AD41-4685-9A44-346C22254531}

2011-05-13 10:59:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-05-13 10:59:54 -------- d-----w- c:\progra~2\Spybot - Search & Destroy

2011-05-12 09:10:11 -------- d-----w- c:\users\x\appdata\local\{32CD5154-3CD8-4C06-87E4-44246FE0FDBD}

2011-05-11 21:45:38 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-11 21:45:38 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-05-11 21:45:38 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-05-11 21:45:38 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-11 21:45:37 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-05-11 21:45:37 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-05-11 21:45:37 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-05-11 21:45:35 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-11 21:45:35 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-05-11 12:31:50 -------- d-----w- c:\users\x\appdata\local\{0B81D0AF-F5CA-4244-A218-87E45697854F}

2011-05-10 19:20:59 -------- d-----w- c:\users\x\appdata\local\{19627A16-CABB-4C69-AFFE-394C9CB5EC43}

2011-05-10 00:38:10 -------- d-----w- c:\progra~2\iWin Games

2011-05-09 21:41:03 -------- d-----w- c:\users\x\appdata\local\{54C3221E-7E2B-496B-A4EF-C90753D289F4}

2011-05-09 07:27:03 -------- d-----w- c:\users\x\appdata\local\{F3B7AD9A-506E-4589-B706-0935A256795C}

2011-05-08 19:26:26 -------- d-----w- c:\users\x\appdata\local\{FBBC33C5-B04C-4D86-991B-0DADC513947E}

2011-05-07 11:59:22 -------- d-----w- c:\users\x\appdata\local\{95F34D1B-8C80-460C-B013-79BEE62C4521}

2011-05-06 11:00:14 -------- d-----w- c:\users\x\appdata\local\{918CE5FF-9E62-4C1A-82F1-A2153B01820C}

2011-05-05 20:45:53 -------- d-----w- c:\users\x\appdata\local\{D2DC62C8-60AB-4C40-A98D-6D6ED78D1AA4}

2011-05-05 07:03:17 -------- d-----w- c:\users\x\appdata\local\{65394DEE-2381-4632-90E3-F9C469D1EAFF}

2011-05-04 21:15:52 -------- d-----w- c:\windows\system32\wbem\en-US

2011-05-04 12:53:43 -------- d-----w- c:\users\x\appdata\local\{F4759342-1F62-4BA9-97F2-26CD9917B345}

2011-05-03 09:58:20 -------- d-----w- c:\users\x\appdata\local\{541A6D54-78F8-4AB1-8CC6-43EB5F93C5F5}

2011-05-02 18:59:44 -------- d-----w- c:\users\x\appdata\local\{B83175AB-9F6A-4F7E-BAC2-2B768D43BB24}

2011-04-22 11:12:01 -------- d-----w- c:\users\x\appdata\local\{29841A87-4E67-4A0A-A089-11832DCA0A29}

2011-04-21 20:40:04 -------- d-----w- c:\users\x\appdata\local\{D62D8B3F-A553-43A7-8420-94551A4EF0C3}

2011-04-21 08:16:07 -------- d-----w- c:\users\x\appdata\local\{83C0F77D-4B8F-41D1-AB6B-616DD5C410F4}

2011-04-20 11:58:55 -------- d-----w- c:\users\x\appdata\local\{391C35EC-DA11-498F-ABCC-A49EE3307096}

2011-04-19 11:44:44 -------- d-----w- c:\users\x\appdata\local\{874ABDA8-2A97-4F99-BFD6-4E5398127662}

2011-04-18 21:27:04 -------- d-----w- c:\users\x\appdata\local\{6A7E475E-EF13-44DA-B321-574661EC1842}

2011-04-18 07:33:18 -------- d-----w- c:\users\x\appdata\local\{646A3F59-883B-419E-9436-168D443943C2}

2011-04-17 12:01:23 -------- d-----w- c:\users\x\appdata\local\{6AD3A6EC-47C1-410A-8FE4-B299B8133285}

2011-04-16 22:15:49 -------- d-----w- c:\users\x\appdata\local\{EDEC8E05-E89B-4E7C-BF40-14D1BD11AB2A}

.

==================== Find3M ====================

.

2011-04-27 13:37:06 1533904 ----a-w- c:\windows\PCTBDRes.dll

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll

2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe

2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe

2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys

2011-02-26 05:33:07 2614784 ----a-w- c:\windows\explorer.exe

2011-02-24 05:32:52 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll

2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll

2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll

2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll

2011-02-18 05:33:29 31232 ----a-w- c:\windows\system32\prevhost.exe

.

============= FINISH: 13:32:47,80 ===============

Attach.rar

ark.rar

mbam-log-2011-05-14 (20-59-09).txt

mbam-log-2011-05-15 (00-05-38).txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi !

thank you very much for your reply !!!

I just updated MBAM, to my surprise the quickscan found 2 items, I removed them.

I will now continue with combofix.

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Databaseversie: 6612

Windows 6.1.7600

Internet Explorer 9.0.8112.16421

19-5-2011 0:22:30

mbam-log-2011-05-19 (00-22-30).txt

Scantype: Snelle scan

Objecten gescand: 159052

Verstreken tijd: 30 minuut/minuten, 36 seconde(n)

Geheugenprocessen ge

Link to post
Share on other sites

Hello again,

sorry for the late reaction.

I updated and ran MBAM again today, full scan, no infections found.

Then I ran Combofix, but I couldn't get McAfee to shut down completely. I put the options off for scanning, firewall etc, off.

In the log of combofix you can see McAfee was still running a process.

Combofix deleted 3 files and 2 folders having to do with Adobe. I read before that the first virus was downloaded as a flashplayer (trojan_BNK.win32.keylogger.gen) so maybe this has to do with eachother?

Combofix rebooted the pc, then started to prepare the log file.

During the preparation McAfee gave a popup twice to warn to check the status of the program. I cancelled these popups.

One popup that I didn't understand came up: It said pev.cfxxe doesn't work anymore. I chose 'end program'.

I saved the logfile from combofix.

Now almost all the icons in the taskbar on the bottom of the screen are gone (such as internet explorer)

the original locked folders remain locked, and the missing items in the menu are still missing.

I hope the log files from mbam and combofix give you information how I can still fix these things.

Thanks for your help!

greetings,

Fru

combofixlog.txt

mbam-log-2011-05-20 (13-05-42).txt

Link to post
Share on other sites

hi,

some good news too; the taskbar items I can easily put back manually, after reboot they remain ok.

... another question; a friend of mine suggested to try going back to a system restore point from a few weeks back.

do you think that could help me? or do you think that could cause more problems?

greetings,

Fru

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

You could try a System Restore. I wouldn't though; it's likely that the malware already corrupted those Restore Points.

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\poqexec.exe

Post the results in your reply.

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

If that doesn't restore everything, then I'm afraid your Temp files have already been removed and the items cannot be recovered.

Let me know, in detail, what issues remain.

Link to post
Share on other sites

Hi,

thanks for your reaction.

I will do the analysis as you told soon, but already want to let you know that I ran unhide.exe after I used malwarebytes the first time. Then it restored my desktop items, but kept certain folders locked.

Before running combofix I read that combofix clears all the temp files anyway, so for that reason I expect those to be gone. But I still hope to find a way, could me manually, that doesn't matter to me, to unlock the locked folders.

I will post again as soon as I have followed up on your reaction.

greetings,

Fru

Link to post
Share on other sites

Hi,

I didn't do the system restore yet, because you explained the restore points are probably not good anymore either.

So, the virus total analysis didn't find anything as far as I understand, I will attach it here.

Unhide didn't unlock my folders, a bit as expected as I ran it already after the first time running malwarebytes.

Another tip I got was to try the program tdsskiller.exe

Do you think that could help?

The problems that remain are:

certain folders are locked: they appear with a locked symbol in windows explorer. when I try to enter them by double clicking them, I get a popup which says 'location is not available' 'mapname is not accessible' 'access denied'.

the folders with this problem are: documents and settings. And within the folder 'Program Data' the subfolders: Application data, bureaublad, desktop, desktop, documenten, documents, favorieten, favorites, menu start, sjablonen, start menu, templates

within the userspecific folder there are also subfolders locked, they give the same popup when trying to enter them, but in windows explorer they don't appear with a locked symbol, they appear a bit fainter yellow (I think as if they are hidden)

It's possible more subfolders that I don't use very often are locked as well.

In the start menu most links that execute a program are missing. The program names are still there, but underneath it is a line with the text (empty), where the program executing link used to be before the virus got to the pc.

I don't know how much the following has to do with this virus:

When I looked in task planner, I got the popup taskfc3461e8: the taskimage has been damaged or has been tampered with

Since the pc had the virus, in forms usernames etc are automatically completed. I went to internet options to uncheck this, and it looks like it's possible to uncheck it and press ok, but later on the usernames etc were still automatically completed in forms, and when I went to internet options, the boxes for automatically completing forms and usernames and passwords were checked again.

The main thing I would like to fix, is to make all folders accessible again, and to make sure my system is safe again to use, without having the risk that the virus has still made changes that would steal any personal information.

thanks again for your time and help. I hope you still have more ideas how I can fix this.

greetings,

Fru

Link to post
Share on other sites

Hi,

the link to the unlocker gets me to a webpage with an error message. I don't see unlocker there.

I will try again later, in case it's the website that has the problem.

Maybe you could tell me another way how to download it?

I can manually put programs in the start menu. I haven't tested well yet but they don't seem to stay there. That doesn't matter to me that much, it's the links within the 'all programs' part of the start menu that are missing that makes starting programs more difficult.

I don't know how to put the program links back within 'all programs': it's there that most programs are missing, and I can only start them by searching the .exe file in the windows explorer and double clicking that.

If you know a way how I can manually put the links back into the 'all programs' menu (within the start menu)that would be great.

thanks again for all your help!

greetings,

Fru

Link to post
Share on other sites

Hi,

I finally installed unlocker, and ran it on the blokked folders.

but it said it did not find any blocking processes, and the folders remained locked.

unhide did not unlock them either.

I did do the system restore. And it repaired my menu, the .exe links that were missing from the 'all programms' part of the start menu are all back.

McAfee does not function anymore since the system restore. I installed malware bytes the free version instead, while I am searching for the original download of Mcafee to try to install it fresh again.

do you have more advice on trying to unlock the folders?

do you think it's still not safe to use the computer with any personal information, could a virus still be active on my pc?

thanks again!!!

Fru

Link to post
Share on other sites

  • Staff

Hoi Fru,

Ik zie dat je Nederlandstalig bent...

Netjes afblijven van die mappen. Dit is geheel normaal dat deze niet toegankelijk zijn in Windows 7. Dit zijn in principe symlinks want dergelijke mappen bestaan niet meer in deze windows versie, maar worden meegeleverd om compatibel te blijven met oudere software.

Zie ook hier: http://www.computerhulp-limburg.be/documents-and-settings-w7.php

Dit geldt hetzelfde voor de andere mappen die je aangeeft.

Het feit dat je deze ziet is omdat je de verborgen systeembestanden zichtbaar hebt gemaakt via je verkenner. Het is met een reden dat deze verborgen zijn en geblokkeerd zijn.. dus netjes afblijven vooraleer je je Windows corrupt maakt ;-) Daarom is het altijd beter om "beveiligde besturingssysteembestanden verbergen" terug aan te vinken.

Om aan te tonen dat dit een symlink is, kan je bijvoorbeeld wel het volgende doen...

In je explorer adresbaar bovenaan, typ: C:\documents and settings\x

dit zal, zelfs al staat C:\documents and settings\x bovenaan, eigenlijk de map C:\users\x openen.

Link to post
Share on other sites

Hoi Miekiemoes,

bedankt voor je hulp. Ik heb de beveiligde besturingssysteembestanden weer verborgen, en dit zijn inderdaad alle mappen die geblokkeerd waren.

ik heb nog wel 1 vraag; ik heb malwarebytes steeds geupdate en dagelijks gedraaid, en hij vindt niets meer. Kan ik er nu vanuit gaan dat alle virussen en resten daarvan van mijn pc verwijderd zijn, en kan ik hem ook weer gebruiken met persoonlijke data?

mvg,

Fru

Link to post
Share on other sites

  • Staff

Hoi,

Ja, je kan je PC terug vertrouwen. Trouwens, de malware waarmee je te maken had verzamelde geen persoonlijke data van je pc hoor, dus daar mag je al gerust zijn. ;)

Lees alvast mijn Preventie pagina met info en tips hoe dit in de toekomst te voorkomen.

En lees deze pagina om je computer terug te optimaliseren na het verwijderen van malware.

Extra nota: Zorg ervoor dat je programma's up to date zijn - want oudere versies kunnen Security Leaks bevatten. Om na te gaan welke programma's je moet updaten, voer de Secunia Software Inspector Scan uit.

Happy Surfing again!

Link to post
Share on other sites

Screen 317, and Miekiemoes,

Thank you very much for all your help!!!

Screen 317, I think you were pretty busy when I mailed you that no one had replied to my post, but I greatly appreciate you taking the time and effort to help me out.

I'm very releived all is ok again.

Miekiemoes, thank you very much as well for informing me about these blocked folders, and I looked at the links you put up, and there is a lot of very helpful additional information for me. thank you very much as well.

thanks so much to the both of you!!

Fru

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.