# Hidden everything virus!



## Jerz (Jun 22, 2011)

Hi there,

I appear to have a virus or torjan on my PC... I ran malwarebytes and super antivirus software removal tool, and it removed a couple of trojans and tracking cookies. However this appears not to have fixed the problem and all my files and start menu appear to be hidden. I can still see them, but they are in 'hidden' mode.

Is there anyone who is able to assist me? I have attached the logs....


----------



## kevinf80 (Mar 21, 2006)

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

*Link 1*
*Link 2*


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:










 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


----------



## Jerz (Jun 22, 2011)

Thankyou for the quick reply. 

I am having some difficulty as I disabled AVG and it said it could not complete until I Uninstalled it. I have uninstalled it and rebooted, and it is still coming up with this prompt...


----------



## kevinf80 (Mar 21, 2006)

Sorry about that, run the AVG removal utility from here http://www.avg.com/us-en/utilities


----------



## Jerz (Jun 22, 2011)

Thanks 

Here is the log:

ComboFix 11-06-22.01 - Rachael 22/06/2011 20:29:43.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2008.1187 [GMT 1:00]
Running from: c:\users\Rachael\Desktop\Gotcha.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\nvXxCRQPEWvbtT.exe
c:\users\Dave\AppData\Local\{36660128-9EFE-444A-9BB6-70E6D557CC61}
c:\users\Dave\AppData\Local\{36660128-9EFE-444A-9BB6-70E6D557CC61}\chrome.manifest
c:\users\Dave\AppData\Local\{36660128-9EFE-444A-9BB6-70E6D557CC61}\chrome\content\_cfg.js
c:\users\Dave\AppData\Local\{36660128-9EFE-444A-9BB6-70E6D557CC61}\chrome\content\overlay.xul
c:\users\Dave\AppData\Local\{36660128-9EFE-444A-9BB6-70E6D557CC61}\install.rdf
c:\users\Dave\AppData\Roaming\Adobe\plugs
c:\users\Dave\AppData\Roaming\Adobe\shed
c:\users\Rachael\AppData\Roaming\Local
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\1.ddi
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\2.ddi
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi(2).ddp
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi(3)(2).ddp
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi(3).ddp
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi.ddp
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\video.avi(2).ddr
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\video.avi(3)(2).ddr
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\video.avi(3).ddr
c:\users\Rachael\AppData\Roaming\Local\Temp\DDM\Settings\video.avi.ddr
c:\windows\SysWow64\muzapp.exe
c:\windows\SysWow64\system32
c:\windows\SysWow64\system32\cis-2.4.dll
c:\windows\SysWow64\system32\issacapi_bs-2.3.dll
c:\windows\SysWow64\system32\issacapi_pe-2.3.dll
c:\windows\SysWow64\system32\issacapi_se-2.3.dll
c:\windows\SysWow64\system32\MACXMLProto.dll
c:\windows\SysWow64\system32\MaDRM.dll
c:\windows\SysWow64\system32\MaJGUILib.dll
c:\windows\SysWow64\system32\MaJUtilLib.dll
c:\windows\SysWow64\system32\MAMACExtract.dll
c:\windows\SysWow64\system32\MASetupCaller.dll
c:\windows\SysWow64\system32\MASetupCleaner.exe
c:\windows\SysWow64\system32\MaXMLProto.dll
c:\windows\SysWow64\system32\MK_Lyric.dll
c:\windows\SysWow64\system32\MSCLib.dll
c:\windows\SysWow64\system32\MSFLib.dll
c:\windows\SysWow64\system32\MSLUR71.dll
c:\windows\SysWow64\system32\msvcp60.dll
c:\windows\SysWow64\system32\MTTELECHIP.dll
c:\windows\SysWow64\system32\MTXSYNCICON.dll
c:\windows\SysWow64\system32\muzaf1.dll
c:\windows\SysWow64\system32\muzapp.dll
c:\windows\SysWow64\system32\muzapp.exe
c:\windows\SysWow64\system32\muzdecode.ax
c:\windows\SysWow64\system32\muzeffect.ax
c:\windows\SysWow64\system32\muzmp4sp.ax
c:\windows\SysWow64\system32\muzmpgsp.ax
c:\windows\SysWow64\system32\muzoggsp.ax
c:\windows\SysWow64\system32\muzwmts.dll
c:\windows\SysWow64\system32\psapi.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-22 19:38 . 2011-06-22 19:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-22 19:38 . 2011-06-22 19:38 -------- d-----w- c:\users\Dave\AppData\Local\temp
2011-06-22 18:52 . 2011-06-22 18:52 -------- d-----w- c:\users\Rachael\AppData\Roaming\AVG10
2011-06-22 18:48 . 2011-06-22 19:19 -------- d-----w- c:\programdata\AVG10
2011-06-22 18:40 . 2011-06-22 19:18 -------- d-----w- c:\programdata\MFAData
2011-06-22 18:32 . 2011-06-22 18:33 -------- d-----w- C:\Gotcha
2011-06-22 17:20 . 2011-06-22 17:20 388096 ----a-r- c:\users\Rachael\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-22 17:20 . 2011-06-22 17:20 -------- d-----w- c:\program files (x86)\Trend Micro
2011-06-22 07:06 . 2011-06-22 07:09 -------- d-----w- c:\programdata\WinZip
2011-06-21 14:19 . 2011-06-21 14:19 0 ---ha-w- c:\users\Dave\AppData\Local\Fhaxuw.bin
2011-06-17 14:56 . 2011-06-17 15:00 -------- d-----w- C:\a98991b36bcb37ee5eb1
2011-06-17 14:52 . 2011-04-23 01:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-17 14:52 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-06-16 19:47 . 2011-04-27 02:57 102400 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-16 19:47 . 2011-04-25 05:32 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-16 19:47 . 2011-04-25 02:44 499712 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-16 19:47 . 2011-05-04 02:51 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-16 19:47 . 2011-05-04 02:51 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-16 19:47 . 2011-05-04 02:51 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-16 19:47 . 2011-04-29 03:13 461312 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-16 19:47 . 2011-04-29 03:12 399872 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-16 19:47 . 2011-04-29 03:12 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-16 19:47 . 2011-01-17 06:17 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-16 19:47 . 2011-01-17 05:38 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-06-16 19:46 . 2011-05-28 03:07 3133952 ----a-w- c:\windows\system32\win32k.sys
2011-06-16 19:46 . 2010-12-18 06:13 861184 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-16 19:46 . 2010-12-18 05:31 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-16 19:46 . 2011-05-03 05:21 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-16 19:46 . 2011-05-03 04:50 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-06-16 11:21 . 2011-06-16 11:21 -------- d--h--w- c:\users\Rachael\AppData\Local\{488D1F94-528B-4123-B2A2-61B6FA91728C}
2011-06-08 09:27 . 2011-06-08 09:34 -------- d-----w- c:\programdata\tmp
2011-06-08 09:27 . 2011-06-08 09:27 -------- d-----w- c:\programdata\hps
2011-06-08 09:23 . 2011-06-09 07:26 -------- d-----w- c:\program files (x86)\Jessops Photo
2011-06-08 07:54 . 2011-06-08 07:54 -------- d-----w- c:\program files\iPod
2011-06-08 07:54 . 2011-06-08 07:55 -------- d-----w- c:\program files\iTunes
2011-06-08 07:54 . 2011-06-08 07:55 -------- d-----w- c:\program files (x86)\iTunes
2011-05-26 07:10 . 2011-06-09 09:10 404640 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-25 09:10 . 2011-04-22 20:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2010-09-09 16:51 39984 ---ha-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2010-09-09 16:51 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-19 07:10 . 2011-05-19 07:10 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-05-19 07:10 . 2011-05-19 07:10 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-05-19 07:10 . 2011-05-19 07:10 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-05-19 07:10 . 2011-05-19 07:10 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-05-19 07:10 . 2011-05-19 07:10 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-05-19 07:10 . 2011-05-19 07:10 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-05-19 07:10 . 2011-05-19 07:10 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-05-19 07:10 . 2011-05-19 07:10 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-05-19 07:10 . 2011-05-19 07:10 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-05-19 07:10 . 2011-05-19 07:10 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-05-19 07:10 . 2011-05-19 07:10 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-05-19 07:10 . 2011-05-19 07:10 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-05-19 07:10 . 2011-05-19 07:10 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-05-19 07:10 . 2011-05-19 07:10 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-05-19 07:10 . 2011-05-19 07:10 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-05-19 07:10 . 2011-05-19 07:10 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-05-19 07:10 . 2011-05-19 07:10 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-05-19 07:10 . 2011-05-19 07:10 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-05-19 07:10 . 2011-05-19 07:10 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-05-19 07:10 . 2011-05-19 07:10 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-19 07:10 . 2011-05-19 07:10 222208 ----a-w- c:\windows\system32\msls31.dll
2011-05-19 07:10 . 2011-05-19 07:10 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-05-19 07:10 . 2011-05-19 07:10 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-19 07:10 . 2011-05-19 07:10 12288 ----a-w- c:\windows\system32\mshta.exe
2011-05-19 07:10 . 2011-05-19 07:10 114176 ----a-w- c:\windows\system32\admparse.dll
2011-05-19 07:10 . 2011-05-19 07:10 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-05-19 07:10 . 2011-05-19 07:10 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-19 07:10 . 2011-05-19 07:10 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-19 07:10 . 2011-05-19 07:10 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-19 07:10 . 2011-05-19 07:10 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-19 07:10 . 2011-05-19 07:10 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-05-19 07:10 . 2011-05-19 07:10 448512 ----a-w- c:\windows\system32\html.iec
2011-05-19 07:10 . 2011-05-19 07:10 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-05-19 07:10 . 2011-05-19 07:10 1492992 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-19 07:10 . 2011-05-19 07:10 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-19 07:10 . 2011-05-19 07:10 160256 ----a-w- c:\windows\system32\wextract.exe
2011-05-19 07:10 . 2011-05-19 07:10 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-05-19 07:09 . 2011-05-19 07:09 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-04-09 06:58 . 2011-05-19 07:03 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-04-09 06:45 . 2011-05-11 06:30 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-11 06:30 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 06:30 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-19 07:03 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-04-06 15:26 . 2011-04-06 15:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:26 . 2011-04-06 15:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:26 . 2011-04-06 15:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:26 . 2011-04-06 15:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 15:20 . 2011-04-06 15:20 91424 ---ha-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ---ha-w- c:\windows\SysWow64\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ---ha-w- c:\windows\SysWow64\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ---ha-w- c:\windows\SysWow64\dns-sd.exe
2011-03-25 03:23 . 2011-05-11 06:30 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 03:23 . 2011-05-11 06:30 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 03:23 . 2011-05-11 06:30 324608 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 03:22 . 2011-05-11 06:30 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 03:22 . 2011-05-11 06:30 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 03:22 . 2011-05-11 06:30 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 03:22 . 2011-05-11 06:30 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-17 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-17 136176]
R3 KiesAllShare;SAMSUNG KiesAllShare Service;c:\program files (x86)\Samsung\Kies\WiselinkPro\WiselinkPro.exe [x]
R3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\DRIVERS\sscebus.sys [x]
R3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\DRIVERS\sscemdfl.sys [x]
R3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\DRIVERS\sscemdm.sys [x]
R3 ssceserd;SAMSUNG Mobile Modem Diagnostic Serial Port V2 (WDM);c:\windows\system32\DRIVERS\ssceserd.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2010-05-25 16392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-05-25 119632]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-05-25 20568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-17 18:42]
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-17 18:42]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay]
@="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}"
[HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}]
2010-04-22 09:06 489808 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay]
@="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}"
[HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}]
2010-04-22 09:06 489808 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay]
@="{84CEF1E4-1356-4063-845F-05047F4DD52C}"
[HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}]
2010-04-22 09:06 489808 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay]
@="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}"
[HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}]
2010-04-22 09:06 489808 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Rachael\AppData\Roaming\Mozilla\Firefox\Profiles\7y63aagf.default\
FF - prefs.js: browser.startup.homepage - facebook.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3628948623-2870423122-2920776430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3628948623-2870423122-2920776430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2011-06-22 20:59:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-22 19:59
.
Pre-Run: 39,692,267,520 bytes free
Post-Run: 40,898,473,984 bytes free
.
- - End Of File - - B39DFFCDC9C982D51790A73A53179E16


----------



## kevinf80 (Mar 21, 2006)

How is your system responding, any change. Have the missing files returned....


----------



## Jerz (Jun 22, 2011)

Everything seems to be ok! 

How does the log look? Has it all been contained/removed?

Thanks


----------



## kevinf80 (Mar 21, 2006)

Log looks OK, run the following please....

*Step 1*

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
c:\users\Dave\AppData\Local\Fhaxuw.bin
ipconfig /flushdns /c
:Commands
[EmptyFlash]
[EmptyTemp]
[ReBoot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

*Step 2*

Reinstall your security program and do a full scan, let me see the log if anything is found.

*Step 3*

Download Security Check by screen317 from *HERE* or *HERE*.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see the logs from OTM, your Security Program (if it finds anything) Security Checks.

Kevin


----------



## Jerz (Jun 22, 2011)

sorry I have been at work, just got home. Will finish these steps now!


----------



## Jerz (Jun 22, 2011)

here are all the logs... malwarebytes is struggling to remove the trojan its listed...


----------



## kevinf80 (Mar 21, 2006)

Maybe I should have been more concise with my instructions, when I asked you to reinstall and run a full scan with your security program I meant AVG. 
Malwarebytes and SuperAntiSpware, are not Antivirus programs. In the logs you`ve just posted Malwarebytes has not found anything new, It has identified an entry in "Qoobox" that is where Comboxfix quarantines infections etc. OK not to worry.

We need to do an AV scan, Malwarebytes and SAS are not Anti-Virus (AV) programs.....

Run the following :-

*Run ESET Online Scan*

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
*ESET OnlineScan*
Click the







button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.
Double click on the







icon on your desktop.

Check








Click the







button.
Accept any security warnings from your browser.
Check








*Leave the tick out of remove found threats*
Push the *Start* button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push








You can refer to *this animation* by *neomage* if needed.
Frequently asked questions available *Here* *Please read them before running the scan.*

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

ESET log can be found here *"C:\Program Files\ESET\EsetOnlineScanner\log.txt".*

Let me see the log from ESET, also give update on current issues/concerns. Make sure to re-install AVG......

Kevin


----------



## Jerz (Jun 22, 2011)

Sorry for the delay....

Current issues:


In the start menu the folders are there, but they are all empty
On other user, when trying to run a programme (Internet Explorer or Firefox) it asks you what programme you would like to use to open the file
Dont know if its connected but just tried to format external hard drive and it could not find the file to run Computer Manager


----------



## kevinf80 (Mar 21, 2006)

Continue as follows :-

For the Start Menu issue go *Here* and follow the instructions for your version of Windows 7.

Next,

From the account that asks what program to open an application run the following:


Please download *exeHelper* to your desktop.
Double-click on exeHelper.com to run the fix. Vista or Windows 7 users right click and select "Run as Administrator"
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
*Note:* If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

From the main account run the following:

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
ipconfig /flushdns /c
C:\Old Drive\Rachael\AppData\Local\Temp\Update_3104.exe
C:\Old Drive\Rachael\AppData\Local\Temp\Update_4bde.exe
:Commands
[EmptyTemp]
[Reboot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Let me see the log from OTM also tell me how system is now responding and what issues remain....

Kevin


----------



## Jerz (Jun 22, 2011)

Current Problems:

On starting Laptop states there was a problem starting C:\Users\Dave\AppData\Local\FPHxpi.dll The specified module could not be found.

Some Start menu folders continue to be empty, Mozilla Firefox/iTunes/Skype/Samsung/Microsoft Office to name a few... though Default Windows Programmes appear to be restored...


----------



## kevinf80 (Mar 21, 2006)

Hiya Jerz,

The log from OTM is not complete, can you re-post it...

The folders you mention as empty, are you referring to Start > All Programs. From there all of the folders in that list are empty, is that correct? If you are the fix is easy but will take some time to do it manually. The easiest way is to reinstall the program. If you want to do the manual fix read on.

The start up list folders actually contain shortcuts to the executable file contained in *C:\Program Files* So for instance take *iTunes* This is the address for iTunes:

*C:\Program Files\iTunes* inside that folder are all of the files pertinent to iTunes. If you navigate to that folder and locate and double click on *iTunes.exe* the program will open and run. That is a long way round so a short cut is placed in the following folder *C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes*

Do you follow? So to fix the Start up entry for iTunes navgate to *C:\Program Files\iTunes* Inside that folder locate *iTunes.exe* right click on that file, select > *create shortcut* and move the shortcut to this folder > *C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes*

Do you undestand/follow the above? You would also have to alter some settings in the folder options to see file extensions when looking for the executable files...

Start > Control Panel > Tools > Folder options > View > untick "Hide extensions for know file types" > apply > OK.

Post a new HJT log please.

In reply let me see full log from OTM, A fresh HJT log, also do you unstand/follow what I instruct regarding Start up menu?

Kevin


----------



## Jerz (Jun 22, 2011)

Ok, yes I understand, I shall re-create the shortcuts..

here are the other logs...

Still states 


> Windoes cannot find 'C:\ProgrameData\Microsoft\Windows\Start Menu\Programs\Systen\Administrative Tools\Computer Management.Ink'. Make sure you typed the name correctly, and then try again.


Thats the only thing i'm noticing currently...


----------



## kevinf80 (Mar 21, 2006)

Hiya Jerz,

Go *Here* and follow theinstructions to fix your current issue..

Next,

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by *Secunia*, available *Here* Before clicking the *Start* scan button, please check the box for the option *Enable thorough system inspection*. Just below the "Scan Options:" section, you'll see the status of what's currently processing....








...when the scan completes, the message "Detection completed successfully" will appear in the *Programs/Result* section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Let me know if you have any remaining issues, if all OK we`ll clean up/uninstall the tools we`ve used....

Kevin


----------



## Jerz (Jun 22, 2011)

Thanks for the replies 

However still experiencing on starting the laptop: C:\Users\Dave\AppData\Local\FPHxpi.dll The specified module could not be found.


----------



## kevinf80 (Mar 21, 2006)

Re-run DDS and post fresh set of logs please.


----------



## Jerz (Jun 22, 2011)

Just DDS? ...


----------



## kevinf80 (Mar 21, 2006)

Can`t see anything obvious in that log to indicate what is calling *C:\Users\Dave\AppData\Local\FPHxpi.dll* at startup.

Run the following please :-

Download







from any of the following links and save to your Desktop:

*Link 1*
*Link 2*
*Link 3*


 Double click on the icon to run it. Vista and Windows 7 users right click and select Run as Administrator. Make sure all other windows are closed and to let it run uninterrupted.
 In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
 Under the Custom Scan box paste this in

```
netsvcs
      drivers32
      Dir C:\Documents and Settings\All Users\Start Menu\Programs\*.* /s /c
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
```

 Click the *Run Scan* button. Do not change any settings unless otherwise told to do so. The scan wont take long.
 When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
 Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply
Copy and paste OTL Txt and ExtrasTxt in your reply.

Kevin


----------



## LauraMJ (Mar 18, 2004)

Just wanted to let you know that Jerz is having problems posting and we're trying to figure out why.

http://forums.techguy.org/site-comments-suggestions/1004622-unable-reply.html#post7985663


----------



## kevinf80 (Mar 21, 2006)

Thanks for the information LauraMJ, I`ll await the outcome....

Kevin


----------



## Jerz (Jun 22, 2011)

ok bizzarely it is letting me edit, bit by bit... though still having some problems replying


----------



## kevinf80 (Mar 21, 2006)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Link 1*
*Link 2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:dir
C:\ProgramData\8888ql417im38g28b807p2536m0c72fk0i /s
:file
C:\ProgramData\8888ql417im38g28b807p2536m0c72fk0i /s
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

Kevin


----------



## Jerz (Jun 22, 2011)

SystemLook 04.09.10 by jpshortstuff
Log created at 19:36 on 29/06/2011 by Rachael
Administrator - Elevation successful

========== dir ==========

C:\ProgramData\8888ql417im38g28b807p2536m0c72fk0i - Unable to find folder.

========== file ==========

C:\ProgramData\8888ql417im38g28b807p2536m0c72fk0i /s - Unable to find/read file.

-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

Re-Run







by double left click, Vista and Widows 7 users right click and select Run as Administrator.

Under the







box at the bottom, paste in the following


```
:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
:Services
:Reg
:Files
ipconfig /flushdns /c
C:\ProgramData\8888ql417im38g28b807p2536m0c72fk0i
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
```

Then click







button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log that is produced.

Let me see the log in your reply, also give update on issues/concerns

Kevin


----------



## LauraMJ (Mar 18, 2004)

Jerz, try logging out, emptying your browser's cache and deleting the cookies, then logging back in and see if that helps.


----------



## Jerz (Jun 22, 2011)

still experiencing on starting the laptop: C:\Users\Dave\AppData\Local\FPHxpi.dll The specified module could not be found.

Also booting up/logging in appears to be getting slower and slower... :s


----------



## Jerz (Jun 22, 2011)

LauraMJ said:


> Jerz, try logging out, emptying your browser's cache and deleting the cookies, then logging back in and see if that helps.


Thanks for the reply, unfortunately has not helped. It seems I am unable to post logs directly to posts. It allows me to post a sentence, then go back and edit it, but If I try to post the log in the edit it responds the same way. I can attach them though, so not entirely impossible to get by...


----------



## kevinf80 (Mar 21, 2006)

It looks like you did not carry out the instructions from reply#27 correctly, did you use the *Run Fix* button? It appears that you may have used the *Run Scan* button....


----------



## Jerz (Jun 22, 2011)

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Rachael\Desktop\cmd.bat deleted successfully.
C:\Users\Rachael\Desktop\cmd.txt deleted successfully.
C:\ProgramData\8888ql417im38g28b807p2536m0c72fk0i moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Dave
->Temp folder emptied: 1018 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 92224912 bytes
->Flash cache emptied: 1037 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Rachael
->Temp folder emptied: 221385809 bytes
->Temporary Internet Files folder emptied: 17418620 bytes
->Java cache emptied: 118545 bytes
->FireFox cache emptied: 234934058 bytes
->Flash cache emptied: 2296 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 20808208 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1706647133 bytes

Total Files Cleaned = 2,187.00 mb

[EMPTYFLASH]

User: All Users

User: Dave
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Rachael
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.24.1 log created on 07022011_183115

Files\Folders moved on Reboot...
C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Rachael\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Still getting the .dll file missing on start up


----------



## kevinf80 (Mar 21, 2006)

Hiya Jerz,

This is frustrating for sure, I don`t see what is calling for that .dll file.... OK lets try a different tack, as follows please :-

*Step 1*

*Please read carefully and follow these steps.*

Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on *TDSSKiller.exe* to run the application, then on *Start Scan.*










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is require, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.

*Step 2*


Re-run OTL, Double click on the icon to run it, Vista or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
 In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
 Under the Custom Scan box paste this in

```
netsvcs
drivers32 
msconfig
safebootminimal
safebootnetwork
```

 Click the *Run Scan* button. Do not change any settings unless otherwise told to do so. The scan wont take long.
 When the scan completes let me see the log that is produced.

Kevin


----------



## Jerz (Jun 22, 2011)

here are the requested logs


----------



## kevinf80 (Mar 21, 2006)

Double click *OTM.exe* to re-start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
C:\Users\Rachael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Clearblue.lnk
:Commands
[reboot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Link 1*
*Link 2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
ClickPotatoLiteSA.*
:folderfind
ClickPotatoLiteSA
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

Let me see the two logs...


----------



## Jerz (Jun 22, 2011)

========== FILES ==========
File/Folder C:\Users\Rachael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Clearblue.lnk not found.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.18.0 log created on 07042011_164315



SystemLook 04.09.10 by jpshortstuff
Log created at 16:45 on 04/07/2011 by Rachael
Administrator - Elevation successful

No Context: :filefind

No Context: ClickPotatoLiteSA.*

========== folderfind ==========

Searching for "ClickPotatoLiteSA"
No folders found.

-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

I`m going to ask for a second opinion on your issue with


> C:\Users\Dave\AppData\Local\FPHxpi.dll The specified module could not be found.


I`ll get back to you ASAP


----------



## kevinf80 (Mar 21, 2006)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Link 1*
*Link 2*

If you still have SystemLook on your desktop just re-run and use new command


Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:regfind
FPHxpi.dll
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## Jerz (Jun 22, 2011)

SystemLook 04.09.10 by jpshortstuff
Log created at 19:16 on 05/07/2011 by Rachael
Administrator - Elevation successful

========== regfind ==========

Searching for "FPHxpi.dll"
[HKEY_USERS\S-1-5-21-3628948623-2870423122-2920776430-1001\Software\Microsoft\Windows\CurrentVersion\Run]
"Xyazapelepix"="rundll32.exe "C:\Users\Dave\AppData\Local\FPHxpi.dll",Startup"

-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Reg
[HKEY_USERS\S-1-5-21-3628948623-2870423122-2920776430-1001\Software\Microsoft\Windows\CurrentVersion\Run]
"Xyazapelepix"=-
:Files
C:\Users\Dave\AppData\Local\FPHxpi.dll
:Commands
[EmptyTemp]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Let me see the log in your reply, has the alert stopped?

Kevin


----------



## Jerz (Jun 22, 2011)

All processes killed
========== REGISTRY ==========
Registry value HKEY_USERS\S-1-5-21-3628948623-2870423122-2920776430-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Xyazapelepix deleted successfully.
========== FILES ==========
File/Folder C:\Users\Dave\AppData\Local\FPHxpi.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dave
->Temp folder emptied: 3050 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 70633745 bytes
->Flash cache emptied: 1137 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Rachael
->Temp folder emptied: 3050 bytes
->Temporary Internet Files folder emptied: 252354 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 303276417 bytes
->Flash cache emptied: 1792 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 160 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 62643360 bytes

Total Files Cleaned = 417.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 07052011_204650

Files moved on Reboot...
C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Rachael\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

everything looks ok *touch wood!*


----------



## kevinf80 (Mar 21, 2006)

OK we can clean up now, as follows please :-

*Step 1*

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.
*It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.*

*Step 2*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.
This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be safely deleted.

*Step 3*

1. Click Start, type *programs and features* in the Search programs and files box, and then press ENTER.
2. Click to select *ESET Online Scanner* from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESET, only re-boot if prompted.

*Step 4*

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

Please go to the link below to update.

*Adobe Reader* Untick the Free McAfee® Security Scan Plus (optional) unless you want it. (not required)

*Step 5*

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. 
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. 
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 26.


 Go to *Sun Java*
 Select *Windows 7/XP/Vista/2000/2003/2008* If using 64 bit OS Select *Information about the 64-bit Java plug-in* and follow prompts
 Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
 Reboot your computer

Let me know if the above steps complete OK,also any remaining issues or concerns...

Kevin


----------



## Jerz (Jun 22, 2011)

Combofix /uninstall doesnt like AVG again, is it safe to contunie with the other steps without doing this first?


----------



## kevinf80 (Mar 21, 2006)

Dont worry about Combofix /uninstall, OTC will remove it, but will need to do manual flush of System restore cache as follows at the very end of all steps:

Create a new restore point:

1. Right-click on Computer and go to Properties.
2. Next click on the System Protection link.
3. The System Properties dialog screen opens up and you will want to click on Create.
4. Type in a description for the restore point which will help you remember the point at which is was created. Click on create.
5. You should see the message "The restore point was created successfully

To remove all but the most recent restore point do the following:

1. Open Disk Cleanup by clicking the Start button







. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
2. If prompted, select the drive that you want to clean up, and then click OK.
3. In the Disk Cleanup for (drive letter) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4. If prompted, select the drive that you want to clean up, and then click OK.
5. Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
6. In the Disk Cleanup dialog box, click Delete.
7. Click Delete Files, and then click OK. Re-Boot.

Tell me if any issues/concerns remain....


----------



## Jerz (Jun 22, 2011)

everything looks fantastic! booting up is a bit slow but I am about to run a disk de-frag.... 

thankyou so much for you're fantastic response and dedication!


----------



## kevinf80 (Mar 21, 2006)

Good to hear all is well again, Here are some tips to reduce the potential for malware infection in the future

*Make proper use of your antivirus and firewall*

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, *NEVER* turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use *WinPatrol* This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained *Here*

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by *Secunia*, available *Here* Before clicking the *Start* scan button, please check the box for the option *Enable thorough system inspection*. Just below the "Scan Options:" section, you'll see the status of what's currently processing....








...when the scan completes, the message "Detection completed successfully" will appear in the *Programs/Result* section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

*Use a safer web browser*

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

*Firefox*,

*Opera*, and

*Chrome*.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial *HERE* which will help you to make IE *MUCH* safer.

These *browser add-ons* will help to make your browser safer:

*Web of Trust* warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for *Firefox* and *Internet Explorer*.

*Green* to go, 
*Yellow* for caution, and 
*Red* to stop.

Available for *Firefox* only. *NoScript* helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at *THIS* article.

Here a couple of links by two security experts that will give some excellent tips and advice.

*So how did I get infected in the first place by Tony Klein*

*How to prevent Malware by Miekiemoes*

Finally this link *HERE* will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

I recommend the following to defrag HD :-

Download and run the free version of *Puran Disc Defragmenter*
For the first run I would recommend a boot defrag and disk check :-








1.	Select your Boot drive, normally C:
2.	Select Boot time defrag.
3.	Restart  Defrag  Restart  Disk Check.

Then just follow the prompts. This will take an extended time to run so always do at a time when you do not wish to use the system for several hours.

If no more issues hit the Mark Solved tab at the top of the thread...

Kevin


----------



## Jerz (Jun 22, 2011)

Thanks very much for all the help!


----------

