# Windows Recovery Virus



## JHM

A lady friend of mine has gotten her computer infected with this virus; and it is the most vicious virus that I have thus far encountered. 

I started by trying to run F-Secure on her machine, despite being warned about once a minute that her HDDs were failing, Her RAM was being used to capacity, etc. The result was after a while a rapid series of false warning messages showed up on her screen, and the Virus shut the computer down. 

I then removed the HDD from her computer, took it home with me, and installed it in the secondary master hotswap tray on my own machine. I ran Malware Bytes Anti-malware, and it found 14 viruses on her machine. I deleted them, and then ran F-Secure, which found 3 more, including one which was buried in a cab file in a Sun Java package. I deleted these, then reran both Malware Bytes, and F-Secure, which declared her machine clean.

I then returned her HDD to her, and reinstalled it for her,  and she said it worked well for a day, then she went back to "The Poker Room", (a card playing site), played for a while then went to bed. The next day the Windows Recovery Virus was back. 

I again took her HDD home with me, and installed it in my hot swap tray, and ran both Malware Bytes and F-Secure on it. This time Malware Bytes found 4 Viruses, and F-Secure found 2 other ones. I deleted all 6, then went to her house and picked up her computer, so I could reinstall her HDD and then check her F-Secure settings.

Imagine my surprize when I booted her machine, and immediately found that "Windows Recovery" was still there !!

In addition to giving a host of false alerts pertaining to various sytem components, this virus also :

1) Blocks usage of most programs
2) Converts large numbers of both software files, and user files into *invisible system files*.
3) Has the capacity to reinstall itself after deletion.

Any assistance appreciated.


----------



## johnb35

I'm at work right now but will at least give you something to run until I get home in a little over an hour.  You may have to boot to safe mode to run this.  Also it may help to run the rkill program which the link for it is in the sticky in the security section titled please read before posting.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## TryingToProve

That is exactly what happened to MY computer and John from this helped me and fixed it. I went to the poker site on Facebook. I have not been back since.


----------



## JHM

Less simple than that. This virus, has wiped all the programs off her start menu, wiped all the shortcut icons off her desktop, and attempts to install Antimalware Bytes have thus far failed, though admittedly they were made without "rkill" or "combofix". Problem is I can't get the internet to come up from her boot drive. I have to install her drive as a secondary on my machine, then download files to it, then try to install them with the drive on her machine. No fun. Worse, I have to go to bed now to get up for work at 6:00 AM tomorrow. Also tried to download all three different version of "rkill" onto my machine unsuccessfully. I get some sort of popup blocker saying for my safety they have blocked, - click on yellow at top for options, do that, and get 3 choices, choose download file, - and get blank page. Bedtime for Bonzo, try again tomorrow.


----------



## johnb35

Do you have a usb flash drive handy?  You can download combofix from your computer and transfer it to the flash drive.  Take the flash drive to the infected comptuer and transfer combofix from the flash drive to the desktop and run it from there.  Booting to safe mode on the infected machine should help as well.


----------



## JHM

K final for the night. While I was typing my last message on my machine AntiMalware Bytes came to life on hers. (Without Combofix). It is now loaded and running, and has detected 4 more viruses so far in addition to one more found by F-Secure, (already deleted that one), and three others I found by searching in the "All Users" "Application Data", and was unable to delete because of "NOT AUTHORIZED", - until I stuck my ERD Commander disk, (a stripped down version of XP that runs from a CD), in the CD drive and used it to delete them. Right now "Windows Recovery" is not running, but I am sure there is still a fair bit of CRAP to be cleaned up, and the issue of how to restore files that have been converted to "Invisible System Files". I MUST Go to Bed, - gonna leave Antimalware Bytes running checking her whole machine, (14 Partitions), overnight.

Edit : 

1) No Flash Drive, - don't own one.
2) Overnight Malware Bytes found 28 more viruses. Will post log when I get home from work tonight, (with photo of found viruses window).


----------



## TheBishop

*Windows Recovery*

Windows Recovery is a program to force you to buy their fix. If you buy the fix your computer wil be fine as they say.

With these records, why doesn't the law go after the creators of the so called virus.
They have a web site; Windows-Recovery/Secure so you can pay for your protection.

It's like the Mafia selling you protection from the bad guys.


----------



## JHM

I suppose it is because the police themselves are a bunch of crooks, at least they are here in Ontario. Ever since the Provincial Government gave the municipalities "Fine Revenue", the municipalities have been playing games with the law, designing laws intended to be broken, so they can collect revenue. E.G. Here in Toronto they have the traffic lights synchronized ABOVE the speed limit. What does that accomplish ?
1) Traffic jams, because if you do the speed limit you get every light red.
2) Polution for the same reason
3) Accidents, because in many cases the lights are timed in such a manner that if you were the first vehicle at the previous light, and when it turned green promptly accelerated up to the limit, trying to make the next one green, you will find it turns red right in your face, and you have to brake hard to stop.
4) But since if you "Speed" the right amount, you get every light green, it encourages "Speeding" therefore enabling the "Oink Oink Seig Heil, drivers liscence, ownership, and insurance please" set to fulfil their quotas.


----------



## JHM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6509

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

05/05/2011 5:37:11 AM
mbam-log-2011-05-05 (05-37-11).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|O:\|)
Objects scanned: 207628
Time elapsed: 1 hour(s), 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 8
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldMFchcXrFP (Rogue.Agent.SA) -> Value: ldMFchcXrFP -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\user\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\user\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\user\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\systemproc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Here are photos of some of the virus found screens since this problem arose. Note : there have been about 10 or 12 others not included in the photos. Note also : That after finding 28 viruses by running overnight while I was sleeping, Malware Bytes found another one running while I was at work today.


----------



## JHM

So, since it had found 1 more, I decided to run it yet again to see if it might find others. Well Malware Bytes didn't find any, BUT while it was checking files, F-Secure suddenly came to life, (It examines files in use), and announced it had found another virus.


----------



## johnb35

Can you burn files to a cd and then transfer them to the infected computer?  If so then download combofix and burn the file to a cd and copy the file to the desktop on in the infected computer, then run it.  Do the same thing for hijackthis.  If you can't burn files to a cd then put infected drive in your system and place these files on that hard drive, put the drive back in the original system and run them.  

What browser is used on the infected computer?  Is it Internet Explorer?  Most likely the malware has enabled a proxy not allowing internet access.  To check this, open internet options in control panel and click on the connections tab, then click on the lan settings button toward the bottom,  then make sure that the boxes under proxy servers are unchecked.  If they are checked then uncheck them and it should restore the internet.


----------



## JHM

Thanks John, right now I am running F-Secure on it again to check it one more time. Malware Bytes has already declared it clean. As soon as that is finished, I will do as you suggested. Re brouser I think it is Mozilla Firefox. One problem there has been the destruction of her Start Menu and desktop shortcuts. Yes I can dowload the suggested items and burn them to a CD then take it from there.


----------



## JHM

Alright, F-Secure declared it clean, and I burned the disk as suggested, then ran Combofix. Combofix immediately found a number of problems, and while it was running, F-Secure came to life announcing it had found one too. Tried unsuccessfully to let Combofix download and install the "Windows Recovery Console", but it said the machine was not connected to the internet. (it is). I let Combofix finish running, then tried internet again, and now I am here on her machine. Will post the Combofix log, and I suppose I should run Combofix again to try and get the "Windows Recovery Console" installed. Comments on that ?

*Combofix Log*

ComboFix 11-05-06.03 - user 07/05/2011   2:58.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.1.1252.2.1033.18.2047.1612 [GMT -4:00]
Running from: d:\utilities\ComboFix\ComboFix.exe
 * Created a new restore point
 * Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\WINDOWS
c:\program files\INSTALL.LOG
C:\Thumbs.db
c:\windows\start.exe
c:\windows\system32\Thumbs.db
c:\windows\Web\default.htt
.


.
c:\windows\system32\qmgr.dll . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2011-04-07 to 2011-05-07  )))))))))))))))))))))))))))))))
.
.
2011-05-05 02:44 . 2011-05-05 02:44	--------	d-----w-	c:\documents and settings\user\Application Data\Malwarebytes
2011-05-05 02:43 . 2011-05-05 02:43	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 02:43 . 2010-12-20 22:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 02:43 . 2010-12-20 22:08	19288	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-04-19 16:36 . 2011-04-19 17:37	--------	d-----w-	c:\documents and settings\All Users\Application Data\iWin Games
2011-04-19 16:11 . 2011-04-19 16:36	--------	d--h--w-	c:\documents and settings\user\Application Data\iWin
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-01 02:17 . 2007-12-14 07:44	40960	------w-	c:\program files\Uninstall_CDS.exe
.
.
------- Sigcheck -------
.
.
.
[-] 2004-07-09 08:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\SYSTEM32\d3d9.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2002-08-29 06:41	8336384	----a-w-	c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="c:\program files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 32768]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
emesene.lnk - c:\program files\emesene\emesene.exe [2010-7-20 67584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
F-Secure Automatic Update.lnk - c:\program files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-3 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Disabled Startup Items\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2004-11-25 04:27	32768	----a-w-	c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 06:41	1511453	----a-w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
2005-04-23 05:34	329216	---ha-w-	d:\utilities\Registry First Aid\RFA\rfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 16:00	3072	----a-w-	c:\windows\SYSTEM32\systray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NOMAD Detector"="c:\program files\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
"PowerBar"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Tweak UI"=RUNDLL32.EXE c:\windows\SYSTEM32\TWEAKUI.CPL,TweakMeUp
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
"Creative Launcher"=c:\program files\Creative\SBLive\Launcher\CTLauncher.exe
"rfagent"=d:\utilities\REGISTRY FIRST AID\RFA\rfagent.exe
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Disc Detector"=c:\program files\Creative\ShareDLL\CtNotify.exe
"devldr16.exe"=c:\windows\SYSTEM32\DEVLDR16.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NPROTECT"=d:\utilities\Norton\N Utilities 2000\Norton Utilities\NPROTECT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"ATIPOLL"=ati2evxx.exe
"DkService"=d:\utilities\Disk Keeper\DkService.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\F-Secure\\BackWeb\\7681197\\Program\\F-Secure Automatic Update.exe"= c:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [03/09/2010 10:54 PM 70896]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [03/09/2010 10:54 PM 32807]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\FSfilter.sys [03/09/2010 10:54 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\win2k\fsgk.sys [03/09/2010 10:54 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\FSrec.sys [03/09/2010 10:54 PM 16720]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17	7168	----a-w-	c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Win32 Classes
.
.
------- File Associations -------
.
inifile=c:\windows\NOTEPAD.EXE %1
txtfile=c:\windows\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Norton Utilities - d:\utilities\Norton\N Utilities 2000\Norton Utilities\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 03:10
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc [email protected][email protected]?? [email protected][email protected][email protected][email protected]? ???????U\[email protected]???????????????????B?????|?????????????????????????????B 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(396)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(452)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(3684)
c:\docume~1\user\LOCALS~1\Temp\IadHide5.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FCH32.EXE
c:\program files\F-Secure\Common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\program files\F-Secure\Anti-Virus\fsrw.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\F-Secure\Common\FNRB32.EXE
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\program files\F-Secure\Common\FIH32.EXE
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\System32\devldr32.exe
c:\program files\CREATIVE\SHAREDLL\MEDIADET.EXE
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\progra~1\F-Secure\ANTI-S~1\fsaw.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2011-05-07  03:16:31 - machine was rebooted
ComboFix-quarantined-files.txt  2011-05-07 07:16
.
Pre-Run: 9,903,866,368 bytes free
Post-Run: 10,469,318,144 bytes free
.
- - End Of File - - EB1EFDD1A290DEBC909BAA98FDEE7A70


----------



## JHM

I copied the two missing files from my computer onto a floppy and put them where they belong in "System32" on hers.

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!

Should I run "Combofix" again to try to get the "Windows Recovery Console" downloaded and installed on hers, now that its internet is working again, before I run "Hijack This" ?


----------



## johnb35

Are you running the same version of windows?  If yes, then go ahead. I'll go over your log in a bit.


----------



## JHM

K, I ran "Combofix" again, and this time got the "Windows Recovery Console" downloaded and installed. Also notice her email program is now working again. Here is the latest "Combofix" log. I much appreciate your help John, - THANKS so much!!

ComboFix 11-05-06.05 - user 07/05/2011  11:49:09.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.1.1252.2.1033.18.2047.1425 [GMT -4:00]
Running from: d:\utilities\ComboFix\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\user\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\user\Local Settings\temp\IadHide5.dll
.
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected 
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll 
.
.
(((((((((((((((((((((((((   Files Created from 2011-04-07 to 2011-05-07  )))))))))))))))))))))))))))))))
.
.
2011-05-07 14:26 . 2008-04-14 09:42	13824	----a-w-	c:\windows\system32\wscntfy.exe
2011-05-07 14:26 . 2008-04-14 09:42	129024	----a-w-	c:\windows\system32\xmlprov.dll
2011-05-07 07:29 . 2011-05-07 07:29	--------	d-s---w-	c:\windows\Cookies
2011-05-05 02:44 . 2011-05-05 02:44	--------	d-----w-	c:\documents and settings\user\Application Data\Malwarebytes
2011-05-05 02:43 . 2011-05-05 02:43	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-05 02:43 . 2010-12-20 22:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 02:43 . 2010-12-20 22:08	19288	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-04-19 16:36 . 2011-04-19 17:37	--------	d-----w-	c:\documents and settings\All Users\Application Data\iWin Games
2011-04-19 16:11 . 2011-04-19 16:36	--------	d-----w-	c:\documents and settings\user\Application Data\iWin
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-01 02:17 . 2007-12-14 07:44	40960	------w-	c:\program files\Uninstall_CDS.exe
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\wscntfy.exe
.
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\xmlprov.dll
.
[-] 2004-07-09 08:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\SYSTEM32\d3d9.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2002-08-29 06:41	8336384	----a-w-	c:\windows\SYSTEM32\shell32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="c:\program files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 32768]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
emesene.lnk - c:\program files\emesene\emesene.exe [2010-7-20 67584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
F-Secure Automatic Update.lnk - c:\program files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-9-3 32807]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Disabled Startup Items\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2004-11-25 04:27	32768	----a-w-	c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 06:41	1511453	----a-w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
2005-04-23 05:34	329216	----a-w-	d:\utilities\Registry First Aid\RFA\rfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 16:00	3072	----a-w-	c:\windows\SYSTEM32\systray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NOMAD Detector"="c:\program files\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
"PowerBar"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Tweak UI"=RUNDLL32.EXE c:\windows\SYSTEM32\TWEAKUI.CPL,TweakMeUp
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
"Creative Launcher"=c:\program files\Creative\SBLive\Launcher\CTLauncher.exe
"rfagent"=d:\utilities\REGISTRY FIRST AID\RFA\rfagent.exe
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Disc Detector"=c:\program files\Creative\ShareDLL\CtNotify.exe
"devldr16.exe"=c:\windows\SYSTEM32\DEVLDR16.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NPROTECT"=d:\utilities\Norton\N Utilities 2000\Norton Utilities\NPROTECT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"ATIPOLL"=ati2evxx.exe
"DkService"=d:\utilities\Disk Keeper\DkService.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\F-Secure\\BackWeb\\7681197\\Program\\F-Secure Automatic Update.exe"= c:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe
.
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [03/09/2010 10:54 PM 70896]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [03/09/2010 10:54 PM 32807]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\FSfilter.sys [03/09/2010 10:54 PM 48816]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\win2k\fsgk.sys [03/09/2010 10:54 PM 48256]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\FSrec.sys [03/09/2010 10:54 PM 16720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2002-08-29 06:41	67584	----a-w-	c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17	7168	----a-w-	c:\windows\SYSTEM32\updcrl.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Win32 Classes
.
.
------- File Associations -------
.
inifile=c:\windows\NOTEPAD.EXE %1
txtfile=c:\windows\NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 11:55
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc [email protected][email protected]?? [email protected][email protected][email protected][email protected]? ???????U\[email protected]???????????????????B?????|?????????????????????????????B 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(396)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(452)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(3324)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Common\FCH32.EXE
c:\program files\F-Secure\Common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\program files\F-Secure\Anti-Virus\fsrw.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\F-Secure\Common\FNRB32.EXE
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\F-Secure\Common\FIH32.EXE
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\windows\System32\devldr32.exe
c:\program files\CREATIVE\SHAREDLL\MEDIADET.EXE
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\progra~1\F-Secure\ANTI-S~1\fsaw.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2011-05-07  11:59:54 - machine was rebooted
ComboFix-quarantined-files.txt  2011-05-07 15:59
ComboFix2.txt  2011-05-07 07:16
.
Pre-Run: 10,447,737,344 bytes free
Post-Run: 10,443,884,544 bytes free
.
winxpsp1_en_pro_bf.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - B61D87823CBBA23CA6E9D86E60A4FF9C


----------



## johnb35

Ok, looks much better.  Post a fresh hijackthis log and I'll look at it when I get home tonight as I have to leave for work shortly.


----------



## JHM

Here is the Hijack This Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:43:25 PM, on 07/05/2011
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\emesene\emesene.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
D:\Utilities\HiJack This\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: emesene.lnk = C:\Program Files\emesene\emesene.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes - 
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} (TrivialPursuit Control) - http://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\System32\LMabcoms.exe

--
End of file - 6573 bytes


----------



## JHM

Note : Although the machine is much better now, and the files that were converted to "Invisible System Files" are all back to normal now, I still cannot delete unwanted shortcuts, or move shortcuts to a different location without them going bad; and nor can I make shortcuts in the manner I usually use.


----------



## johnb35

What happens when you try to delete shortcuts? What messages do you get?


----------



## JHM

To answer that, a bit of explanation is in order. I built her computer for her, and set it up the same way I setup mine. I use a single line of icons down the left side of the screen, which are mostly shortcuts to folders containing shortcuts.







These are sorted by type of software, rather than by originating company. For example the "CD Creator Icon", when double clicked, opens a folder with all shortcuts pertaining to the setup of the CD drives; and burning software, irrespective of what company produced it.






There are, as you know, a number of ways in which one can normally create and move shortcuts. BUT if I create a shortcut to "MS Task Manager", for example











Then attempt to drag the shortcut into the desktop "Utilities\System" folder, the shortcut goes BAD and will no longer work. The same is true if I try to "cut" the shortcut out of C:\Windows\System32 and "paste" it into C:\Windows\98 Desktop\Utilities\System






Attempts to delete the dead shortcut






Get me the following messages :











And the only way I have found to get around it, is to bypass the operating system, by using another operating system to delete them. There are three ways to do this.
1) have a dual boot, and use the other OS to clean up the mess.
2) put her drive in a hotswap tray, and use my OS to remove them
3) use my ERD Commander disk, (with its stripped down version of XP that runs from a CD), to delete them

This is exactly the same message I got when I tried to delete the 3 viruses I found in the "All users\application data" folder on her drive. I had to use ERD Commander to get rid of them too. Also might add that when I moved the "Malware Bytes" desktop shortcut into the utilities\system folder, it went bad too. I had to use ERD Commander to get rid of it, and create a new one.


----------



## johnb35

Definately a weird issue there.  What happens when you just go into the folder where you want a shortcut and and right click on click on new shortcut?  Is the system formatted fat32 or ntfs?

However, depending on the infection you get and even after its cleaned up the damage its created may be irreversible and only a fresh install of windows will fix it.


----------



## JHM

1) The system is NTSF. 2) The method of shortcut creation you mentioned works, - though I have never used it before. Didn't know it existed. Another method that works is right click on the file you want to create a shortcut to, then drag it to the folder you want the shortcut in; and click on "Create shortcuts here" in the popup window that opens.

3) Be it noted that with both of these methods, you are "Creating" a shortcut in its desired final location. Attempts to "Move" existing shortcuts now invariably fail, with the shortcut moving, but going bad in the process, and becoming inaccessible to the user. Probably a registry issue there.


----------



## johnb35

You may want to try running SFC /scannow at the command prompt.  It may or may not fix the issue.


----------



## JHM

Thanks again John; where do I find that one ?


----------



## johnb35

Start, run, type "sfc /scannow"  without quotes and make sure there is a space between the c and the /.  Also make sure you have the xp cd in the drive when you do this.


----------



## JHM

Will do as soon as I finish working with "Registry First Aid", which is finding a slew of registry errors. Thanks again.


----------



## johnb35

Just a warning, you may make things worse by using a registry cleaning program.  They usually do more damage then good.


----------



## JHM

Oh I don't let them do anything "Automatically". I deselect ALL items found, then go through them one at a time fixing the ones where I KNOW what the proper answer is.

Re "sfc /scannow", it keeps asking for an XP disk with "Service Pack 1". - Don't have. Have only an old one with no sevice packs, and a newer one with "Service Pack 3". How do I get around that one ?


----------



## johnb35

I guess that won't be an option then.  Where is the original cd that you installed the OS with?


----------



## JHM

Unless I am mistaken I used the Service Pack 3 disk. I built this thing for her three or four years ago, Originally it was a Win98-SE machine, but then I upgraded it to XP-Pro. Not sure. She has her own Liscence.


----------



## johnb35

Then I don't know why it would be asking for the service pack 1 cd.  May have to take the dive and backup data and reinstall windows.


----------



## JHM

Thinking about that, I think I must have used the old disk with no service packs on it; then gone online to update her installation, downloading Service Pack 1, (or 1a, - which was my favourite at that time), because although Service Pack 2 was available at that time, I had had a lot of problems with it and didn't trust it.

Question : Can I go online and redownload Service Pack 1a ? If not, I can probably get ahold of the appropriate disk from a local computer shop. She DOES have a legal liscence, so thats not an issue.


----------



## johnb35

You could try slipstreaming sp1a into a new install cd from the no service pack install cd.  Only you know what you used to install it with.


----------



## JHM

Fraid you lost me with that one. How do I go about "Slipstreaming SP1a into a new install CD" using my no service pack disk ?


----------



## JHM

Hmm, No response to my last; oh well here is more about what I have found on Gloria's machine. I ran "MSConfig" to see if I would find anything untoward that way.






Sure enough, something rather strange there. Right at the bottom we find "REBOOT.EXE" listed as a "Disabled Startup Item" Now usually items in the "Startup" folder are shortcuts to programs you want to run on Windows Startup. BUT this is no shortcut but rather a 327 Kilobyte exe file.






Now why on earth would anyone want Windows to automatically "REBOOT" every time it starts ? Could this be part of the "Windows Recovery Virus" ? I searched my machine for a file named "REBOOT.EXE" and there wern't any. I then searched her machine for references to "REBOOT.EXE" and found :






Next, checking my machine for a folder in Windows labled "pss"" revealed there was none.
Searching her registry for references to ""REBOOT.EXE" revealed exactly 4 registry entries pertaining to the two files found, apart from those pertaining to the search I made.

Attempts to see the ""Properties" of "REBOOT.EXE" failed 9 out of 10 times. The machine would go into a freeze, with the hourglass showing, and stay that way for several minutes, then the window from which one may select "Properties" would flicker visible for about 1/10 th of a second then disappear. Sometimes a corner of the window would become visible for a while but nothing else. Persistance eventually paid off however and I was able to see :






Further examination revealed :






And the only other information I could get was "Language" - "Chinese Taiwan".

Has anyone else here who is running Windows XP-PRO ever seen this file before ? Bear in mind that the "Windows Recovery Virus" Reboots your machine if you start running an antivirus program on it.


----------



## johnb35

Reboot.exe is nothing to do with infections, it's actually part of windows, msdos and 3.1.    If you look at the date, it says 2004.  Not knowing what you have installed on these machines its probably part of the software installed.


----------



## JHM

Thanks John, I guess the thing to do is move it from "Disabled Startup Items" to the "pss"" folder. It sure doesn't belong in "All users\Start Menu\Startup"".


----------

