[Resolved] Malware, ie redirect, fake av scan, the works

[Capt_Ted]

Good morning.  It seems to be acting fine.  It boots quickly and my speed test is good.  Thanks so much.  I still have the pop up box that internet explorer is not the current browser, missing links in things like start/all programs/accessory/system tools, or start/control panel/administive tools, and I suspect but are not sure of missing icons on my desktop.  Thanks

[1972vet]

Run  this tool...then check for your missing icons. Post back your results. Thanks!

[Capt_Ted]

I do not see any changes.  Here is the log.  Thanks

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
  http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 07/08/2012 08:49:49 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 184777 files processed.

The C:\DOCUME~1\Ted\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 07/08/2012 08:52:58 AM
Execution time: 0 hours(s), 3 minute(s), and 8 seconds(s)

[1972vet]

In your post #20, Here...you make reference to downloading some cleanup tools. You do say you weren't comfortable using them but, having used them, you may have removed the temp folder contents which is where your shortcuts were stored. Do you remember what tools you downloaded?

[Capt_Ted]

The reference in post 20 was to two programs I downloaded to clean up my registryand that was a long time ago.  They were recomended to speed up frame rates in Flight Simulator.  They are Registry Mechanic and CC Cleaner.  They are on my other computer and I did not run them.  I think I should stay away from the registry.  The programs I used trying to fix this computer myself were all the versions of RKill, TdssKiller, RootkitBuster, iExplore, Sychost, and Hitman Pro.  I ran a search for smtmp and nothing was found.  Thanks.

[Capt_Ted]

I remember using UnHide also.  That is what gave me my icons back when the desktop was empty.  Would there be a log of that event that I could find?  Thanks.

[Capt_Ted]

I was searching the internet with my old computer.  Downloading to desktop.  Loading onto USB stick.  Plugging into infected computer in safe mode, running apps then deleting stick.  I should have kept notes!!  This 62 year old brain doesn't remember well anymore!!   

[1972vet]

I remember using UnHide also.  That is what gave me my icons back when the desktop was empty.  Would there be a log of that event that I could find?  Thanks.
Posted by: Capt_Ted    

OK, that's the tool we just ran and the log you just posted...this should be a non-issue now.

I still have the pop up box that internet explorer is not the current browser, missing links in things like start/all programs/accessory/system tools, or start/control panel/administive tools, and I suspect but are not sure of missing icons on my desktop.  Thanks

That pop-up came as a result of running combofix. Whatever browser you WERE using has been removed as default once combofix is run since combofix restores the default browser for use, as Internet Explorer. If you want Internet Explorer to be your default browser then you can define that according to the way you answer that pop up window...and according to the "Unhide" log you posted, the temp folder which the rogue would have used to store your missing icons/shortcuts, is missing. Where it went isn't the issue as much as it is the fact that it just isn't there. If it's not present, nothing can be restored from it but the programs, being still present, can be used themselves to re-create icons or shortcuts to them. Let me know if you need help with that.

[Capt_Ted]

Interesting.  To the best of my knowledge I have never downloaded or installed, used any other browser.  I do answer yes to, do I want IE to be my default browser,  and every time I open IE I get the pop-up again.  No problem though because I will probly replace it with FireFox @ your suggestions in other completed topics.  I can recreate the program shortcuts but I don't know how to repair start/all programs/accessories/system tools or start/control panel/administrative tools.  At this point I am so happy to have a usable computer again.  Thank you!

[1972vet]

We'll get to that tomorrow, as it's getting late for me (for a Sunday, with family time and such) but I wanted to say quickly that you DO have eudora installed. Do you use it for your email client? I know nothing of it but I'd think if it's anything like Thunderbird, it too uses a browser and it is likely linked to a mozilla product. It too is likely to have the ability to assign default clients for both...email and browsing so, if you use it, see what those settings are. As to the rest, we'll get back to this tomorrow. Thanks!

[Capt_Ted]

I hope you have a great family time Sunday evening.  Yes on the Eudora by Qualcomm.  I have used it for many years as my e-mail client.  I think it goes direct to my SMTP server ( Charter ).  I looked over its tools/options and didn't see any references to any other browers.  This is a small issue to me and I hope you don't spend much of your time on it.  Thanks.

[1972vet]

Download This Script...double-click it to run it then check your missing icons. This should restore them all.

Next, download and install Mozilla's FireFox browser. Allow this to be your default browser. Reboot when finished and let me know your results. Thanks!

[Capt_Ted]

Good morning.  The script worked.  All looks well with XP.  I'm on Firefox now and when I entered SpywareHammer It did not have my saved log on info, so I guess I will need to reset them manually.  No problem.  Thanks.

[1972vet]

Everything else working fine now? Any other issues we can help with?

[Capt_Ted]

FireFox seems to be much faster than IE.  I like it.  Wow, everything seems to be running well.  Very small issue, when I boot up I get the boot up (F12) menu for about 3 seconds, is that a problem? Thanks