[Dakeyras]

Hi.

sorry to say nothing happens

I would like to say I am surprised at that but sadly I am not, the dubious joys of Vista!

OK did you actually manage to Take Ownership of the following files:-

C:\Windows\System32\recdisc.exe

C:\Users\Chris\Desktop\recdisc.exe

[Advertisements]

no click on both and no option to take ownership, I even d/l the take ownership thing again

dude, if you want to leave it you can, if my comp is okay?

Edited by BristolCity, 25 January 2013 - 03:44 PM.

[BristolCity]

no click on both and no option to take ownership, I even d/l the take ownership thing again

dude, if you want to leave it you can, if my comp is okay?

Edited by BristolCity, 25 January 2013 - 03:44 PM.

[Dakeyras]

Hi.

no click on both and no option to take ownership, I even d/l the take ownership thing again

OK.

dude, if you want to leave it you can

I'm afraid we are going to have to, I have encountered similar problems in the past with Vista and attempting to create a Startup Repair Disc. Most unfortunate all told and more so since some features are blocked by the custom Operating System you have.

I strongly advise you consider purchasing a stand alone Vista 32 Bit Installation DVD because if anything really serious happens to your machine as in it become unbootable for example...you at present have no way to run either the Startup Repair(or other options) and or reinstall the Operating System etc.

if my comp is okay?

It does appear to be for the most part though we do need to address the host file again, which we will do shortly...

Is the FireFox browser still unable to launch or not ?

Next:

Please Download HostsXpert and unzip it to your computer, somewhere where you can find it.

The root of the system drive would be a ideal location EG: C:\

Note: Do not use this yet, we will be shortly.

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the Quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[CreateRestorePoint]

:Files
C:\WINDOWS\system32\drivers\etc\hosts
netsh advfirewall reset /c
netsh advfirewall set allprofiles state off /c

:Reg
[-HKEY_CLASSES_ROOT\*\shell\runas]
[-HKEY_CLASSES_ROOT\Directory\shell\runas]
[-HKEY_CLASSES_ROOT\dllfile\shell]
[-HKEY_CLASSES_ROOT\Drive\shell\runas]
[-HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas]
"HasLUAShield"=""
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

:Commands
[EmptyTemp]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Next:

• Right-click on HostsXpert.exe and select Run as Administrator to launch the programme.
• When prompted with:

HOSTS file does not exist, press OK to create HOSTS file, Cancel to quit.

• Select OK.
• Check to see if top button on left hand side says Make Writable?
  
  • If it does. click on it then proceed to next instruction.
  • If not, just proceed to next instruction
• Click on Restore MS Hosts File to restore your Hosts file to its default condition
• When prompted to confirm, click OK.
• Click on the Download button (lower left hand side)
  
  • Click on MVPs Hosts... button.
  • Click on Replace button.
  • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file. If prompted about DNS, just ignore it click on OK etc)
• When finished.
  • Click on File Handling button.
  • Click on Make Read Only? to secure it against infection.
• Exit the programme.

[BristolCity]

OTL stop responding halfway thru running and now I get the error 'this file does not have a program associated with it for performing this action' when I click on it?

Malware anti bytes just blocked a malicious attack too for some reason

Edited by BristolCity, 25 January 2013 - 05:23 PM.

[Dakeyras]

Hi.

Malware anti bytes just blocked a malicious attack too for some reason

OK, how many browsers windows did you have open when this occurred if any ? Do post the MBAM log for my review please so I can check exactly what was blocked.

To locate the aforementioned log...

• Launch Malwarebytes' Anti-Malware
• Click on the Logs radio tab.
• The log will be named:-

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\protection-log-yyyy-dd-dd

Next:

OTL stop responding halfway thru running and now I get the error 'this file does not have a program associated with it for performing this action' when I click on it?

Your machine certainly does not like playing nice eh! Anyway should be able to rectify that as follows(do not follow the prior instructions again at this time), also check if OTL actually created a log from the last custom script run or not please.

Download/run Rkill:

(If one fails to work delete it and download/try another):

One, Two,Three, Four or Five

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

• Double click on Rkill.
• A command window will open then disappear upon completion, this is normal.
• Post the log created, found on the desktop rkill.txt. in your next reply.

[BristolCity]

there was just 1 windown open
I cant see the MBAM log you want,. the latest one is

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122605

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

26/12/2011 22:27:25
mbam-log-2011-12-26 (22-27-25).txt

Scan type: Quick scan
Objects scanned: 152519
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-----------------------

Rkill 2.4.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingc...opic308364.html

Program started at: 01/27/2013 08:59:32 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
* HKLM\Software\Classes\exefile\shell\runas\command "@" was changed. It was reset to "%1" %*!

* HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

* msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 01/27/2013 08:59:45 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)

[Dakeyras]

Hi.

there was just 1 windown open
I cant see the MBAM log you want

Fair play, it may just have been a false positive detection but we can check this out in due course to err on the side of caution.

also check if OTL actually created a log from the last custom script run or not please.

I take it no log available then ? If so not a problem.

Next:

Have you checked if Mozilla Firefox will launch/work ?

Next:

Download the attached Erunt.bat(see below) to the desktop...

Then right-click on Erunt.bat and and select Run as Administrator to run the batch file. It will self-delete when completed.

--------------

Download msiserver.reg to the desktop...

Then right-click on msiserver.reg >> Merge >> follow the prompts >> reboot your machine.

Next:

• Right-click on HostsXpert.exe and select Run as Administrator to launch the programme.
• Check to see if top button on left hand side says Make Writable?
  
  • If it does. click on it then proceed to next instruction.
  • If not, just proceed to next instruction
• Click on Restore MS Hosts File to restore your Hosts file to its default condition
• When prompted to confirm, click OK.
• Click on the Download button (lower left hand side)
  
  • Click on MVPs Hosts... button.
  • Click on Replace button.
  • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file. If prompted about DNS, just ignore it click on OK etc)
• When finished.
  • Click on File Handling button.
  • Click on Make Read Only? to secure it against infection.
• Exit the programme.

Next:

Let myself know when completed tha above. Provide the answers for my query's and we will then go from there, thank you.

[BristolCity]

No log was available

Mozilla works okay

I completed the hosts as you requested, the hostsxpert.exe was in zip though and i unzipped it to desktop and did as you asked

[Dakeyras]

Hi.

No log was available

Fair play.

Mozilla works okay

I completed the hosts as you requested, the hostsxpert.exe was in zip though and i unzipped it to desktop and did as you asked

Good, lets just run a few more checks as follows...

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

• Launch the application, Check for Updates >> Perform a Quick Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Panda Online Scan:

Use Internet Explorer for the below please...

Vista users: You will need to to right-click on the IE in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Now please go here to run Panda's ActiveScan

• Once you are on the Panda site, click the Scan your PC now button
• A new window will open...select the option Quick scan then click on the Scan Now button <-- Allow all the UAC(User Access Control prompts)
• Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
• Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
• When the scan has finished, click on Export To
• Save the file as Activescan.txt to your Desktop
• Close the Activescan window then go to your Desktop
• Double-click on Activescan.txt and it will open in Notepad
• In Notepad, click Edit > Select all, then Edit > Copy
• Reply to this thread and click Ctrl+V to paste the log in your reply

[BristolCity]

We have detected that your PC is using a version of Microsoft Internet Explorer or Firefox, or another browser, that is not compatible with ActiveScan 2.0.

which is odd as I have latest firefox so had to download it, did find 9 suspicious files in the registry, do I clean them?

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.28.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Chris :: DELL-530 [administrator]

Protection: Enabled

28/01/2013 18:50:17
mbam-log-2013-01-28 (18-50-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200431
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\INTEROP.PRPLAYERCOR#\3AACB3AD0998BEA4CF56323794EB2C8F\INTEROP.PRPLAYERCORELIB.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\PHOTOMANAGER\BBD3DF31BDF82F00F0959B329F01AAF4\PHOTOMANAGER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\ALLSHARECONTROLLER\5B125EA25878945BE73A0B105206DF41\ALLSHARECONTROLLER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.MAINUI\04CBEE3072EC83A44739232219ED52D5\KIES.COMMON.MAINUI.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DEVICEVIDEO\727C54F055DB0237275FE73A8BDC7E17\DEVICEVIDEO.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\EBOOKMANAGER\A733A21DF78E533A0BE98297F664753E\EBOOKMANAGER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.STOREMA#\70BB30BBC100D4FF16C7F87DBC2B31AA\KIES.COMMON.STOREMANAGER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.MVVM\BC2FFEEA3580F165F2314C754E24744C\KIES.MVVM.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\INTEROP.DEVFILESERV#\A675AFEC192581F0F32D6581C68E5E8F\INTEROP.DEVFILESERVICELIB.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES\E7E35EE7F52981CE1AB48C00EE262D37\KIES.NI.EXE to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.MULTIME#\B8FD6D21796B61A55C24AABE580C36D5\KIES.COMMON.MULTIMEDIA.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\E793084599A7BD89923C348E22057983\KIES.COMMON.DEVICESERVICELIB.INTERFACE.NI.DLL to be deleted.

Broken Link. FILE: File not found:C:\USERS\CHRIS\DESKTOP\COMBOFIX.EXE to be deleted.

Broken Link. REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe. Key to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\VIDEOMANAGER\122AD0CEDF2147A2D9799AE69885F993\VIDEOMANAGER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\6BCF31801A136F6102D51C83FFE72448\KIES.COMMON.DEVICESERVICELIB.FIRMWAREUPDATE.COMMON.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\PODCASTSERVICE\CC5CCF7E2DE6141500219C08610BCF28\PODCASTSERVICE.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\PHONEBOOK\B593ABAB1718C26186E305B33383C7F9\PHONEBOOK.NI.DLL to be deleted.

Broken Link. FILE: File not found:FFDSHOW.AX to be deleted.

Unknown. FILE: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ffdshow\Audio decoder configuration.lnk to be deleted.

Unknown. FILE: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ffdshow\Video decoder configuration.lnk to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DEVICEMUSIC\9AE37560B829ACDF9DCA42531006E9AA\DEVICEMUSIC.NI.DLL to be deleted.

Broken Link. FILE: File not found:"C:\PROGRAM FILES\REAL\REALPLAYER\UPDATE\REALSCHED.EXE" to be deleted.

Broken Link. REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[TkBellExe]. Value: TkBellExe To be deleted.

Broken Link. FILE: File not found:C:\PROGRAM FILES\NORTON 360\ENGINE\6.0.0.145\SYMERR.EXE to be deleted.

Broken Link. REGKEY: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08FF730A-494F-4cba-AA0B-E4F1D44715F9}. Key to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\INTEROP.DEVICESEARC#\85FF769496D6B3A3FB81025D06CD8F7C\INTEROP.DEVICESEARCHLIB.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DEVICEPHOTO\AF8DBDFAD9FDFF93DF66D5ED493E331D\DEVICEPHOTO.NI.DLL to be deleted.

Unknown. FILE: C:\PROGRAM FILES\EVERNOTE\SKITCH\UNINSTALL.EXE to be deleted.

Unknown. FILE: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skitch\Uninstall Skitch.lnk to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\012CFBFE13E795A6FA2365918B878386\KIES.COMMON.DEVICESERVICELIB.DEVICEDATASERVICE.NI.DLL to be deleted.

Unknown. FILE: C:\USERS\CHRIS\DOWNLOADS\WVCHECK.EXE to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.ALLSHARE\F5C5F12D694DE2A89C2D40BCD4578CA0\KIES.COMMON.ALLSHARE.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DBMANAG#\683A2ADB742AD60E4BEBA025BF957CF2\KIES.COMMON.DBMANAGER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\BF10BEB0FF3048E6048DBEA8E92C0C11\KIES.COMMON.DEVICESERVICELIB.FIRMWAREUPDATE.DOWNLOADER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\F853D4336528646EA1177D8033C6EF30\KIES.COMMON.DEVICESERVICELIB.DEVICEMANAGEMENT.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\CPKTMUSICPLUGIN\63C041A904F052EE3140744695EB0628\CPKTMUSICPLUGIN.NI.DLL to be deleted.

Broken Link. FILE: File not found:C:\PROGRAM FILES\OPERA\OPERA.EXE to be deleted.

Broken Link. REGKEY: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids[Opera.HTML]. Value: Opera.HTML To be deleted.

Broken Link. REGKEY: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids[Opera.HTML]. Value: Opera.HTML To be deleted.

Broken Link. FILE: File not found:"C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" to be deleted.

Unknown. FILE: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk to be deleted.

Broken Link. FILE: File not found:DFSVC.EXE to be deleted.

Broken Link. REGKEY: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}. Key to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DEVICEPODCAST\5515B99EF1F56FD99DD92B2411898D1B\DEVICEPODCAST.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\BATPLUGIN\9BABC9BC724237A609F4DE0AD3323C9F\BATPLUGIN.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\DEVICEHOST\0080908A889CB90FC874959C87FE0374\DEVICEHOST.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\294C94F981D637F17AB1735A88C71F84\KIES.COMMON.DEVICESERVICELIB.FIRMWAREUPDATE.FIRMWAREUPDATEAGENTHELPER.NI.DLL to be deleted.

Unknown. FILE: C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\DEFS\13012800\ALGO.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\FFAFE10B3805924B1088BC69A5DE2F0B\KIES.COMMON.DEVICESERVICE.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.UTIL\EB93B73C1D4B45FEC994A8D751846FE5\KIES.COMMON.UTIL.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\PODCASTER\4A6FF3A0091024818451AF7DE4764388\PODCASTER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.MEDIADB\7AED44092B17A6A553F177B60CB9577E\KIES.COMMON.MEDIADB.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.UI\752AB77541C7F9ACBDAB1BD3F79FC6BA\KIES.UI.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.INTERFACE\94115754846BA74909B9C7247EA049C8\KIES.INTERFACE.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.THEME\8A4F27E3F254DED6F14720398A17AA16\KIES.THEME.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.LOCALE\8B05816D8B09B1B2B7E1DDB16A4AF9E6\KIES.LOCALE.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\MUSICMANAGER\E6587BC657F47680E956AD43831C6C8D\MUSICMANAGER.NI.DLL to be deleted.

Unknown. FILE: C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V4.0.30319_32\KIES.COMMON.DEVICES#\FCA01DDD89F601AA8F3457E0F6DC0878\KIES.COMMON.DEVICESERVICELIB.FILESERVICE.NI.DLL to be deleted.

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SHOWSUPERHIDDEN] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SUPERHIDDEN] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Edited by BristolCity, 28 January 2013 - 01:27 PM.

[Dakeyras]

Hi.

which is odd as I have latest firefox so had to download it

Indeed it is.

did find 9 suspicious files in the registry, do I clean them?

No do not.

Next:

Download Unhide to your desktop...

Now right-click on unhide.exe and select Run as Administrator >> follow the prompts.

When the scan is completed reboot your machine and post the contents of unhide.txt in your next reply.

[BristolCity]

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingc...opic405109.html

Program started at: 01/28/2013 09:47:45 PM
Windows Version: Windows Vista

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 133234 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 10572 files processed.

The C:\Users\Chris\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingc...opic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 01/28/2013 09:50:03 PM
Execution time: 0 hours(s), 2 minute(s), and 18 seconds(s)

[Dakeyras]

Hi.

Before we go any further I would like you to check a few things for myself as follows...

Navigate to Programs and Features in the Control Panel and check if:

Panda ActiveScan 2.0

Is actually installed or not.

Next:

• Click on Start(Vista Orb) >> Run.. >> then copy/paste the following command into the box and press OK:

rstrui.exe

• Then click on OK
• After a brief period the System Restore window will appear.
• Select the option Choose a different restore point >> Next>
• Now select the option Show restore points older than 5 days
• Take a screen-shot of the window and post it in your next reply please(it should look similar to the below)
• Close the System Restore window.

Attached Thumbnails

• 

[BristolCity]

panda scan is in my programms

[BristolCity]

panda scan is in my programms

there a few restore points on 24th and 25th with OTL

Attached Thumbnails

•