[gateman]

Here is the description of the problem. I can't see my files in my computer or explorer. The start menu has been wiped out and doesn't show any of my installed programs. They seem to still be there but the virus is masking them. I can see them when I run search. The system idle process is at 98 99. I can boot into safe mode. I can boot into regular windows, but I get a BSOD. I cannot run HijackThis. I was able to run malware bytes and I am attaching a log file. I am re-running ComboFix to see if I can install HijackThis. When I try to run HijackThis it says "The system administrator has set policies to prevent this installation." When I try to go to administrative tools to open local security policy it was an empty window. I am able to open local security policy via the run dialogue. "Secpol.msc /s" When we got in we were not able to open software restrictions policies. So then we went into the registry, and created a new d word registry by the name of disable msi with a value of 0, and then we were able to go back into local security policy and to open software restrictions policies and we then opened enforcement, and set the policy to apply to "all users except local administrators." We changed the name of HijackThis.msi to Analysethis.msi and we got a new error.

We ran a malwarebytes scan and it found multiple start menu hijacker objects.

Windows xp pro
Can't open system properties right now

Edit: If I boot into regular windows without safe mode, I get a BSOD stop error code 7E.

Edit: I added a new full system scan with malwarebytes and system scan and attached a new log file.

[gateman]

See second attachment.

[dvk01]

step 1
run this
http://download.bleepingcomputer.com/grinler/unhide.exe

step 2
Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Hereto your Desktop.
As you download it rename it to username123.exe


**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again after combofix has finished

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on renamed combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

[gateman]

Hello, again, and thanks for your detailed response! I have followed your instructions, unhide worked, but i still get the bsod 7e when booting to regular windows (yes, it is xp pro). however, I am unable to get combofix to work. it will download recovery console from windows and begin scan but just keeps locking up. I left it overnight and through the whole day and nothing, i have restarted it several times, same thing. there are NO real time running antivirus proggies going. the part it locks up on is where it says it should take about 10 minutes but could be longer if its heavilly infected.

[dvk01]

try it in safe mode then & see if it will work & geta log

[gateman]

Thank you very much for your help. I have tried it in safe mode and I get the same results. Where do I go from here? Thanks again.

[dvk01]

Run tdss killer from http://support.kaspersky.com/viruses...?qid=208280684

let it cure anything it fnds ( except SPTD.SYS or anything detected as UnsignedFile.Multi.Generic, which should be ignored) & then reboot

post back with its log

By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
Logs have names like: UtilityName.Version_Date_Time_log.txt.
E.g. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

[gateman]

hello,

Thank you for your help. I downloaded this file and I cannot get it to run. When I click on it an hourglass briefly appears and then disappears with nothing running. I moved it from the download folder to the desktop, still nothing. I renamed it and tried to run it and still nothing happened. I went back to the download folder where the original download was and it still wouldn't run. Something is blocking this program from running. I also tried to run it with the run command. It just doesn't want to run. Please advise on what to do about this.

Thank you,

James

[dvk01]

see if this will run and give us some idea

However I think we might be on a loser here & we will end up formattiing & reinstalling
Download OTS.exe to your Desktop

• Close any open browsers.
• Double-click on OTS.exe to start the program.
• If your Real protection or Antivirus intervenes with OTS, allow it to run.
• In the Processes group click ALL
• In the modules group click ALL
• In the Services group click Safe List
• In the Drivers group click Safe List
• In the Registry group click ALL
• In the Files Age drop down box click 360
• Make sure the company name, no name and skip Microsoft files boxes are checked
• In the Files created and Files modified groups select ALL
  in the Additional scans sections please select Everything and make sure safe list box is checked
• Now on the toolbar at the top select "Scan all users" then click the Run Scan button
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file

Use the Reply button and attach the notepad file here. I will review it when it comes in.

It will be much too big so you will need to zip the file before it will be able to be uploaded

[gateman]

Thank you very much for helping me with this problem. I ran the program and saved it as a rar and zip file. I am sending both to you.

Again, Thank you very much.

James S.

[dvk01]

Start OTS. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill All Processes]
[Unregister Dlls]
[Registry - All]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\29h6avho.default\prefs.js
YN -> browser.search.defaultenginename -> "iMesh Web Search"
YN -> browser.search.order.1 -> "iMesh Web Search"
YN -> extensions.enabledItems -> searchtoolbar@zugo.com:1.2
YN -> extensions.enabledItems -> superfish@superfish.com:1.2.0.8
YN -> keyword.URL -> "http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxdm0809Bus&ptnrS=ZUxdm0809Bus&si=CN_Olp7K5asCFRM6gwod1W5OMg&ptb=9LWcqbxKHzOOnrW9_W3NAA&ind=2011101308&n=77def87c&psa=&st=kwd&searchfor="
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
YY -> HKLM\software\mozilla\Firefox\Extensions\\superfish@superfish.com -> C:\Documents and Settings\All Users\Application DataMozilla\Extensions\superfish@superfish.com [C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATAMOZILLA\EXTENSIONS\SUPERFISH@SUPERFISH.COM]
YY -> HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com -> C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN
YY -> HKLM\software\mozilla\Firefox\Extensions\\39ffxtbr@MapsGalaxy_39.com -> C:\PROGRAM FILES\MAPSGALAXY_39\BAR\1.BIN
< FireFox Extensions [User Folders] > -> 
YY -> ~EmptyValue -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\29h6avho.default\extensions\39ffxtbr@MapsGalaxy_39.com
YN -> ~EmptyValue -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\29h6avho.default\extensions\m3ffxtbr@mywebsearch.com
YY -> ~EmptyValue -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\29h6avho.default\extensions\searchtoolbar@zugo.com
< FireFox SearchPlugins [User Folders] > -> 
YY ->  mywebsearch.xml -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\29h6avho.default\searchplugins\mywebsearch.xml
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {71c1d63a-c944-428a-a5bd-ba513190e5d2} [HKLM] -> [Search Assistant BHO]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{364ea597-e728-4ce4-bb4a-ed846ef47970}" [HKLM] -> [MapsGalaxy]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3902979331-1047035270-2560529683-1005\] > -> HKEY_USERS\S-1-5-21-3902979331-1047035270-2560529683-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{364EA597-E728-4CE4-BB4A-ED846EF47970}" [HKLM] -> [MapsGalaxy]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "MapsGalaxy Search Scope Monitor" -> ["C:\PROGRA~1\MAPSGA~2\bar\1.bin\39srchmn.exe" /m=2 /w /h]
YN -> "MapsGalaxy_39 Browser Plugin Loader" -> [C:\PROGRA~1\MAPSGA~2\bar\1.bin\39brmon.exe]
< Run [HKEY_USERS\S-1-5-21-3902979331-1047035270-2560529683-1005\] > -> HKEY_USERS\S-1-5-21-3902979331-1047035270-2560529683-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Alexander Avdonin" -> C:\Documents and Settings\Owner\Local Settings\Application Data\Alexander Avdonin\ewzybgkq.dll [RUNDLL32.EXE "C:\Documents and Settings\Owner\Local Settings\Application Data\Alexander Avdonin\ewzybgkq.dll",DllGetClassObject]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.141\Photo.exe" -> [C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.141\Photo.exe:*:Enabled:Enabled]
YN -> "C:\WINDOWS\Temp\~os412.tmp\rlvknlg.exe" -> [C:\WINDOWS\Temp\~os412.tmp\rlvknlg.exe:*:Enabled:rlvknlg.exe]
[Registry - Additional Scans - Safe List]
< Ext (PreApproved) - [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
YN -> {08858AF6-42AD-4914-95D2-AC3AB0DC8E28} [HKLM] -> Reg Error: Key error. [MyWebSearch Third Party Installer]
YN -> {3ED5E5EC-0965-4DD3-B7D8-DBC48A1172B9} [HKLM] -> [MapsGalaxy_39 HTML Menu]
YN -> {a35ff019-6dbe-4044-b080-6f3fa78a947f} [HKLM] -> [MapsGalaxy_39 HTML]
YN -> {e045df14-bf1d-405c-a37b-a75c1551ad17} [HKLM] -> [MapsGalaxy Third Party Installer]
< Ext (Settings) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\
YN -> {71C1D63A-C944-428A-A5BD-BA513190E5D2} [HKLM] -> [Search Assistant BHO]
< Ext (Stats) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\
YN -> {1E91A655-BB4B-4693-A05E-2EDEBC4C9D89} [HKLM] -> [Toolbar BHO]
YN -> {364EA597-E728-4CE4-BB4A-ED846EF47970} [HKLM] -> [MapsGalaxy]
YN -> {71C1D63A-C944-428A-A5BD-BA513190E5D2} [HKLM] -> [Search Assistant BHO]
[Files/Folders - Created Within 360 Days]
NY ->  2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  2 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp
NY ->  1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp
[Files/Folders - Modified Within 360 Days]
NY ->  aqGUKHkSK3EVGS -> C:\Documents and Settings\All Users\Application Data\aqGUKHkSK3EVGS
NY ->  File_Recovery.lnk -> C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
NY ->  File_Recovery.lnk -> C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk
NY ->  -aqGUKHkSK3EVGSr -> C:\Documents and Settings\All Users\Application Data\-aqGUKHkSK3EVGSr
NY ->  -aqGUKHkSK3EVGS -> C:\Documents and Settings\All Users\Application Data\-aqGUKHkSK3EVGS
[Alternate Data Streams]
NY -> @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:40E5AD89
NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A9220C3
NY -> @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:221F35CC
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[ZipFiles]
[Reboot]

[gateman]

Hello,

I ran this program after pasting the code in the box. It seemed to run okay, rebooted up into normal windows, and produced a file showing what it did. When I tried to relocate the file to the desktop to send to you I got the BSOD. I rebooted a couple of times into normal windows and no matter what I do I still get the BSOD. I am willing to try whatever you think is necessary, but I am considering moving all of my files to an external hard drive and installing the operating system back onto the original hard drive with the discs that came with my laptop. Unfortunately, my external drive is a Seagate (which is fine) but the program Seagate uses to clone a drive first doesn't want to run on my computer, and second proposes to completely delete everything on the external drive first. I don't want to lose that data on the external or internal drives. I guess I will have to buy a new external drive. There is more than enough room on the external drive to cover my lap top drive. If it helps the laptop is on a raid system.

When I open Explore to see my hard drives I get this error over and over again whether I am in safe mode or regular windows mode:

Cannot initialize My Safe folder.
Cannot open the My Safe kernel driver. The driver is either stopped or was not installed correctly. Please reenable the driver or reinstall Protector Suite.

I am attaching the notepad file that came up after running the fix.

I appreciate all of your help. Please advise.

James S.

[dvk01]

just about everything there was not found when it tried to delete
that suggrests that something is diverting all calls to registry or files to a blank area
Only solution I can see is format & reinstall. anything else is just too dangerous to even think about

[gateman]

Thank you very much for your help. With unhide I was able to recover most of my files. I copied them onto an external hard drive and then reloaded the factory software. The computer is now working again. I just have to get my main programs back onto it. I appreciate all the time and help you gave me.

Thank you very much,

James

[dvk01]

Thanks for letting us know

you can mark this solved by using teh button at the top or bottom of the topic
Good luck