Here's how this problem unfolded:
1) I think started because of sticking my USB Flash drive into a public computer (I've learned my lesson now...)
2) I found that many of my folders, especially ones with pictures or music in them, had become .exe files. They still look liked folders, but a folder called Dave's Stuff before would now be Dave's Stuff.exe, etc. And when I enabled the "Show hidden files and folders" I could then see the real original folders. I (moronincally) clicked on one of the exe folders by mistake...
3) I scanned with Ad-Aware, Spybot S&D and Malware Bytes' Anti-Maleware. I also used ATFCleaner and then ran a safe mode scan with SUPERAntiSpyware. Various different problems were found each time and I removed them. Here are some of the problem files logged:
From ad-aware (Quarantine screenshot attached):
Win32.Trojan.Agent
Win32.Trojan.VB
Win32.Worm.VB
From SUPERAntiSpyware:
Rogue.Component/Trace
from Malware Bytes' log:
Memory Processes Infected:
C:\Zita.exe (Email.Worm) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\David\local settings\temporary internet files\Content.IE5\HWL47W6T\CAILH98P (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Zita.exe (Email.Worm) -> Quarantined and deleted successfully.
4) My situation right now: My computer functions mostly fine, but I cannot access most of my file folders. Those folders that were changed no longer have the .exe ending, but when I try to open them, I get an error message "The path '101NIKON' does not exist or is not a directory." Every single one of the folders in My Pictures is now 44.0 KB when they are supposed to contain several gigs of photos or mp3s... but strangely, the parent folder (My Pictures) that they are all in still says that it has several gigs of information, suggesting the data may still exist somewhere. (Screenshot Attached)
5) Now when I try to toggle Folder Options > View to "Show hidden files and folders", nothing turns up, and when I go back to Folder Options, I find that it has not been toggled, it still has "Do not shoe hidden files and folders" selected, as if something is stopping me from changing that option.
6) Summary: I am not sure if I have fully cleaned the virus yet, and I would love, if possible, to retrieve those files, many of which I have foolishly not backed up. My girlfriend may have backed up some of the files on her USB Flash Drive, but I have told her not to plug it into her computer until we can figure out how to clean it without infecting another computer. My USB drive is also still infected, I want to know how to clean that and retrieve the files from that, too.
I know this is long... thank you SO SO much for your time. Any help is much appreciated.
DDS (Ver_09-05-14.01) - NTFSx86
Run by David at 13:30:54.84 on Fri 06/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.570 [GMT 8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\cypherixsrv.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Zita.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\33BDB2\B8F124.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.msi.com.tw
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Google Update] "c:\documents and settings\david\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [B8F124] c:\windows\system32\33bdb2\B8F124.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\b8f124.lnk - c:\windows\system32\33bdb2\B8F124.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {CC6823D7-11C3-456E-9ACC-AC1514C23619} = 10.0.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ddcAstst - ddcAstst.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: vqxsur.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\r6bmdyqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\david\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2009-1-16 100728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1005904]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-10-16 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-16 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-16 625792]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S2 gupdate1c987423dcdab50;Google Update Service (gupdate1c987423dcdab50);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-10-16 306176]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-14 24652]
=============== Created Last 30 ================
2009-06-04 00:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-04 00:11 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-04 00:11 <DIR> --d----- c:\docume~1\david\applic~1\SUPERAntiSpyware.com
2009-06-04 00:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-03 12:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-03 11:33 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-03 11:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-03 11:21 <DIR> --d----- c:\program files\Lavasoft
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\8D7BFB
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\33BDB2
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\1A03E9
2009-05-29 23:34 <DIR> --d-h--- c:\windows\system32\12C671
==================== Find3M ====================
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-02-22 20:13 45,056 a------- c:\documents and settings\david\My Documents.exe
2009-02-22 20:13 45,056 a------- c:\documents and settings\david\Desktop.exe
============= FINISH: 13:31:48.14 ===============
Attached Files
Edited by Eleventytwo, 05 June 2009 - 01:30 AM.