Jump to content

Dealing with the aftermath of System Recovery Virus


Recommended Posts

First, I want to thank everyone that will respond to my post.

I recently had the "System Recovery Virus". I was able to run Microsoft Security Essentials to remove the virus. I then ran Malwarebytes to remove any other problems. I ran Malwarebytes a few times in Safe Mode and it removed over 440 issues.

I thought I removed the virus, but, my desktop background is still black and my programs were not on my desktop or start menu. I then went into the "Document and Settings" to show all hidden files. Some of the files on my desktop showed up and some didn't; icon that showed up were "hazy" like they were still hidden. But, no programs are in my start menu.

Below are the Malwarebytes' AntiMalware log file and DDS/GMER log files. I have attached the text files of the DDS program I download and ran after running DeFogger.

DDS/GMER log files:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Lori at 15:19:43 on 2011-09-13

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.798 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\rundll32.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\rundll32.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\HP\HP Software Update\hpwuschd2.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

C:\Program Files\Acer\Empowering Technology\Service\ETService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\NLSSRV32.EXE

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\bin32\nSvcAppFlt.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\bin32\nSvcIp.exe

C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\REGSVR32.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.fox8live.com/

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=0810&m=aspire_x1200

mStart Page = hxxp://en.us.acer.yahoo.com

mDefault_Page_URL = hxxp://en.us.acer.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll

BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup

mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

mRun: [<NO NAME>]

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"

mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"

mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {449E4080-7C69-4767-A1AE-6AAE25B0B906} - hxxp://www.wacom.com/U/plugins/Windows/WacomIE.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{7EF51BE2-91D2-45E3-8CCD-5C2572C23A8C} : DhcpNameServer = 192.168.1.254

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKslf33ecb14;MpKslf33ecb14;c:\programdata\microsoft\microsoft antimalware\definition updates\{eb1c7794-2626-4f39-aaf4-e71869a86f78}\MpKslf33ecb14.sys [2011-9-13 28752]

R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366640]

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]

R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-10-1 67904]

R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2010-8-3 347648]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22712]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-4-29 43552]

S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]

S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\easypdf 5\bepldr.exe [2007-8-22 151552]

.

=============== Created Last 30 ================

.

2011-09-13 20:00:13 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{eb1c7794-2626-4f39-aaf4-e71869a86f78}\MpKslf33ecb14.sys

2011-09-13 18:22:25 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{eb1c7794-2626-4f39-aaf4-e71869a86f78}\mpengine.dll

2011-09-12 20:02:45 -------- d-----w- c:\users\lori\appdata\roaming\Malwarebytes

2011-09-12 20:02:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-12 20:02:37 -------- d-----w- c:\programdata\Malwarebytes

2011-09-12 20:02:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 20:02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 18:12:05 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bfbaf09e-fe58-4503-9517-2ac34c924b37}\gapaengine.dll

2011-09-06 15:09:44 837680 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-08-24 10:01:18 2048 ----a-w- c:\windows\system32\tzres.dll

2011-08-17 16:00:55 -------- d--h--w- c:\users\lori\appdata\local\IsolatedStorage

.

==================== Find3M ====================

.

2011-09-13 20:00:39 952 --sha-w- c:\programdata\KGyGaAvL.sys

2011-07-29 17:53:27 88 --sh--r- c:\programdata\AB61413F30.sys

2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-07-01 19:09:59 35840 ----a-w- c:\windows\system32\imgutil.dll

2011-07-01 19:07:54 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui

2011-07-01 19:07:51 519680 ----a-w- c:\windows\system32\d3d11.dll

2011-07-01 19:07:51 369664 ----a-w- c:\windows\system32\WMPhoto.dll

2011-07-01 19:07:51 252928 ----a-w- c:\windows\system32\dxdiag.exe

2011-07-01 19:07:51 195584 ----a-w- c:\windows\system32\dxdiagn.dll

2011-07-01 19:07:50 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll

2011-07-01 19:07:50 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll

2011-07-01 19:07:50 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll

2011-06-20 08:54:36 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-06-20 08:54:36 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-06-17 20:13:55 913296 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-06-17 16:03:18 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-06-17 13:31:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

.

============= FINISH: 15:25:56.57 ===============

MALWAREBYTES' ANTI-MALWARE LOG FILE:::

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7702

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 9.0.8112.16421

9/13/2011 11:42:09 AM

mbam-log-2011-09-13 (11-42-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)

Objects scanned: 311416

Time elapsed: 31 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.