Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possibly had / have root kit virus or restore / recovery virus that hid EVERYTHING and would not allow me access to safe mode


  • This topic is locked This topic is locked
17 replies to this topic

#1 littleERIC

littleERIC

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 18 March 2012 - 06:57 PM

hello guys/gals. this is my first post here. wonderful helpful site you have here ! thanks !
alright i may provide too much info, but i figure too much is better than not enough.
for starters, my wife's cousin was using my laptop to do online school work when the screen went blank, then changed to a solid red screen. all of those fake "windows restore" type error messages started popping up saying things such as failed hard drive, etc. then it started doing this scan and showed all of these problems that it detected. it prompted you to purchase their "bogus" program. luckily i was home and told her that was not legit and to avoid that. i grabbed the laptop from her, closed all of these 60 or so error messages, closed out this fake scan screen, and rebooted my pc. after reboot, everything appeared to be gone. my desktop icons were gone, my desktop image was gone and replaced with a solid red screen, everything in my start menu was gone.

i quickly realized that everything was not gone, but whatever had infected my computer had "hid" everything. i shut down again and hit my f8 key to reboot into safe mode. i have windows xp professional (5.1,build 2600) 32-bit. after hitting my f8 key, it pulled up the "windows advanced options menu" where i selected "safe mode with networking" so that i could troubleshoot and research the internet from the safety of safe mode. after selecting "safe mode with networking", i selected "windows xp professional". then it had my login screen where i enter my password. when i would click on the password line, it would freeze up so that i couldn't move the mouse or type anything in. at this point, the only option was to force it to shut down by holding down my power key and reboot into normal mode which would boot up just fine, other than everything missing. it seemed to me that this malware/trojan/rootkit or whatever it was had not only hid everything, but restricted me from getting into safemode. i thought i would defeat it by forcing it into safe mode by hitting ctrl-shift-esc to pull up msconfig. i selected boot.ini and told it to boot into safemode with networking. it did do that, but in my opinion, i don't think i was in true safe mode because once logged in, it did NOT show "safe mode" in all four corners like it should.

at this point, i determined that since my normal boot mode had been rendered useless because this program had restricted access to anything that could identify and remove it, and i couldn't get into safe mode to work around it, my only option was to hit my f10 key and go into "pc recovery" which came preinstalled in my hp pavillion dv6000 laptop instead of xp recovery disks. i knew that doing this i would have to consider some of my stuff like pics, documents, music, etc a loss and just start fresh with a new install of the windows program only.

i did that, and now i'm back up and running normally (i hope). even though it appears to be back to normal now, i immediately rebooted into safe mode with networking, it did allow me in safe mode this time, and "safe mode" showed in all four corners like it should. i came straight to this bleepingcomputer.com site and printed off your "remove system restore (uninstall guide)". i am still in safe mode now and i have followed every single step in your guide, and i am now at #6 in that guide, and at the section of that which prompted me to post this here. i will post everything that it requested for you to see, but best i can tell, it appears that all is good now. i just want to make dang sure it is ALL gone and removed before i move on.

*** all of this that i'm entering in this paragraph was BEFORE i ran the "pc recovery" *** one last thing, when all of this first infected me, the only thing i could access that could even possibly help me was my spybot s&d icon that was in the tray where my clock is displayed. i ran a scan and immunization with it, and it did identify some stuff (in my opinion unrelated) which i removed and immunized. after that i ran the unhide.exe program from you guys to restore MOST of my hidden stuff. i then ran my jv16 powertools program to see what kind of registry changes it made and deleted a bunch of stuff that was most likely associated with this problem. i then downloaded avg 2012 and done a scan. best i recall it found a couple of things and i removed them (sorry for my memory being fried, i've been up way too late fighting this for several nights now). in other words, i think i disabled / deactivated this rogue program, but my pc was still suffering from some of its effects. the reason i downloaded avg instead of malwarebytes is because it would not allow me to download malwarebytes, not sure if that was a site problem, program problem, or the virus knowing that was a good fix program and restricting me from it.
*** end of paragraph ***

sorry for being so long winded, but i wanted to make sure i gave you all the detail you could possibly need. if i missed anything that i can provide you with, please just say so and i will do my very best. thanks for such an awesome site and for helping all of us in our times of need ! y'all are the bomb !!!!!!

oh yeah, one more thing. before i ran the "pc recovery" i was up to date with windows xp professional service pack 3. now that i've run the recovery, i think i'm back to service pack 2. just wanted to throw that out there so that you wouldn't think that had anything to do with this problem. i just haven't taken the time YET to update it, but i will. i'm wanting to make sure i get this resolved before i start updating everything. thanks again, and here is my DDS.txt log as requested.....

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 6.0.2900.2180
Run by Eric Little at 1:52:59 on 2012-03-17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1725 [GMT -6:00]
.
AV: Norton Internet Security 2006 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [SSC_UserPrompt] "c:\program files\common files\symantec shared\security center\UsrPrmpt.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
StartupFolder: c:\docume~1\ericli~1.you\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1331965714198
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0191485E-812B-4500-8D91-A494247EF858} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-17 202352]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-10-7 133744]
S2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060514.008\NAVENG.Sys [2006-9-12 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060514.008\NavEx15.Sys [2006-9-12 799208]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-12 1119888]
.
=============== Created Last 30 ================
.
2012-03-17 06:56:47 -------- d-s---w- c:\documents and settings\eric little.your-0cdc4f5844\Temporary Internet Files
2012-03-17 06:56:47 -------- d-s---w- c:\documents and settings\eric little.your-0cdc4f5844\History
2012-03-17 06:41:49 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2012-03-17 06:41:49 10752 ----a-w- c:\windows\system32\c_iscii.dll
2012-03-17 06:41:48 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2012-03-17 06:41:48 5632 ----a-w- c:\windows\system32\kbdusa.dll
2012-03-17 06:29:08 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-03-17 06:29:07 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-03-17 06:29:07 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-03-17 06:29:07 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-03-17 06:28:03 -------- d-s---w- c:\documents and settings\eric little.your-0cdc4f5844\UserData
2012-03-14 19:09:46 1137360 ----a-w- C:\fsbl.exe
2012-03-14 16:47:15 -------- d-----w- c:\program files\Ask.com
2012-03-14 07:20:11 -------- d-----w- C:\$AVG
2012-03-14 06:52:02 -------- d-----w- c:\documents and settings\all users\application data\Common Files
2012-03-14 06:51:02 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-03-14 06:50:09 -------- d-----w- c:\program files\AVG
2012-03-14 06:44:16 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
.
============= FINISH: 1:54:14.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 18 March 2012 - 10:07 PM

adding update. following your "remove system restore (uninstall guide)" in the exact order it was listed, after posting my initial post as suggested, i continued on to the next steps. i downloaded malwarebytes and ran a full system scan. here is a copy of the notepad txt file created with threats detected placed here as an attachment. i removed these threats as directed and restarted pc when malwarebytes prompted me to. my question is do i still need to run your step 19 which is to run the unhide.exe program ? i'm asking that because it APPEARS that everything is working like it should after me running the "pc recovery". i am now going to leave safe mode and reboot into normal mode without running unhide.exe, hopefully that will be ok. thanks again.

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 22 March 2012 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your logs are clean.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any issues with this computer.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 28 March 2012 - 09:47 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 29 March 2012 - 06:54 AM

Topic reopened.

#6 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 29 March 2012 - 09:40 PM

thanks for reopening this. to my knowledge so far, i'm not aware of any problems this pc is having now. it seems as though i have got everything removed and restored. the only downfall to this whole ordeal is that i seem to have lost all pictures, documents, etc. after running the pc recovery. i am just wanting to make sure anything harmful is indeed cleaned and removed. also, i need to know if it is now safe for me to re-enable cd emulation software with "defogger" ? here is the contents of the checkup.txt that you requested:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Secunia PSI (2.0.0.4003)
Java™ 6 Update 31
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
America Online 9.0 waol.exe
America Online 9.0 shellmon.exe
``````````End of Log````````````


also, i forgot to add that after installing "secunia psi" i updated everything and now have a 100% system score. thanks again !

Edited by littleERIC, 29 March 2012 - 09:45 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 30 March 2012 - 07:59 AM

i need to know if it is now safe for me to re-enable cd emulation software with "defogger"

Yes.

If your files are only hidden this will help. Please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take sometime, please let if finish.
===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#8 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 30 March 2012 - 12:42 PM

i need to know if it is now safe for me to re-enable cd emulation software with "defogger"

Yes.

*** i will do this when i get home this evening ***

If your files are only hidden this will help. Please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take sometime, please let if finish.

*** i will gladly do this when i get home also. one question though, i downloaded and ran the unhide.exe program before i ran the pc recovery. should i still run this program again ? ***
===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

*** i will also do this when i get home this evening. what exactly does this do ? the reason i ask is with the "uninstall" comand typed in, what exactly is it that i'm uninstalling here ? sorry if that's a stupid question, but i have NOT run combofix thus far. sorry for my confusion there. ***
===

Delete the other tools we used. *** what all specifically should i remove here ? i have followed your rootkit removal instructions to a T as you can see from my very first post in this thread. does this mean i should delete EVERYTHING that i have downloaded from your instructions when i first started tackling this problem ? programs, .txt files, notepad files, etc. ? all of it ? ***

Surf Safely, and Think Prevention!
===


*** lastly, as far as surfing safely and thinking prevention, i am extremely cautious and careful. not real sure where this one came from, but it was a pain in the butt too remove ! does it appear that everything is all ok after following your most recent advice ? thanks a ton ! ***

#9 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 30 March 2012 - 12:47 PM

i added 5 questions / comments in the post above this. they may be hard to see since they are in the quote contents of your last post. i surrounded each of my 5 questions / comments with ***

thanks again for your help !

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 30 March 2012 - 01:20 PM

*** i will gladly do this when i get home also. one question though, i downloaded and ran the unhide.exe program before i ran the pc recovery. should i still run this program again ? ***


You can run it again but do not think that it will find anything.

===

*** i will also do this when i get home this evening. what exactly does this do ? the reason i ask is with the "uninstall" comand typed in, what exactly is it that i'm uninstalling here ?

Not a stupid question I tough we had run that ComboFix tool.

*** lastly, as far as surfing safely and thinking prevention, i am extremely cautious and careful. not real sure where this one came from, but it was a pain in the butt too remove ! does it appear that everything is all ok after following your most recent advice

Most of these come from unpatched versions of 3rd party software.

Keep Java, flash and the adobe reader up to date.

#11 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 30 March 2012 - 01:59 PM

no sir i have NOT run the combofix tool, but i will gladly do so if you advise to do so. thanks so much for all of your help here and for what all of you do here !

#12 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 30 March 2012 - 10:49 PM

here is the results after running the unhide.exe program. does everything look all clear ?

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 03/30/2012 10:33:54 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 111184 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 1934 files processed.

The C:\DOCUME~1\ERICLI~1.YOU\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* HideIcons policy was found and deleted!

Program finished at: 03/30/2012 10:38:25 PM
Execution time: 0 hours(s), 4 minute(s), and 31 seconds(s)

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 31 March 2012 - 08:18 AM

The Unhide log gives us a run down of what what done.
If you files were deleted you may be able to recover some of the using this tool.
UndeletePlus
http://undeleteplus.com/

Please let me know if successful.
===

If you have any other difficulties with this computer you can run ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#14 littleERIC

littleERIC
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 01 April 2012 - 06:29 PM

ok, sorry for my ignorance here, but i have just ran "UndeletePlus" like you suggested. it identified 20,791 files with potentially recoverable content. most all of this list makes no sense to me, so i don't want to just start recovering random stuff without knowing for sure what it is. after sorting this "UndeletePlus" list in date order, i did find some stuff on (or around) the date (03-13-2012) that this problem occured that could possibly identify the specifics of what the virus/malware/program/etc was that caused my problems, but like i said, i am not real sure of what to make of most all of these items, so they could be legit. let me know if there is any good info i could provide you with here.

the only two problems i am aware of this pc having as i mentioned in a previous post is that my personal documents, personal files, personal pics, personal music, etc is no longer showing after running windows xp pc recovery, which restored windows xp. this laptop pc did NOT have recovery discs, it had the pc recovery built into the BIOS instead of the option to create recovery discs. the "my documents" folder is there with it's default contents, but all of my personal contents previously there is not there now, it is showing the folders contents the same as it was when this pc was bought brand new (default). the exact same story for the "my pictures" and the "my music" folders, all they show is the preinstalled default pics and music just like it came brand new. if i had to guess, since i was forced to run the pc recovery, i would imagine that these items, files, pics, documents, music, etc have been done away with and are most likely unrecoverable. am i correct here ?

other than what i just mentioned, i feel like the pc is running and functioning like it should. i am just wanting to make sure that these things mentioned are unrecoverable. if they are unrecoverable, i will just accept it as a loss and move on. the second concern i have is that i want to make dang sure that all harmful things are indeed removed from this pc as though it appears it is.

if you feel that some of these mentioned things are indeed recoverable, you may have to advise what specifically i should be looking for in "UndeletePlus" so that i can attempt to recover these items, otherwise i'm at a total loss on what to look for since it found over 20,000 recoverable items.

lastly, as i said the other day, i will be happy to run the "ComboFix" as you suggested, i'm just not certain if that step is needed since i appear to be back up and running, and my only concerns are wanting to see if the mentioned items can be recovered or not, AND i'm just wanting to make sure anything harmful is indeed removed as it appears.

some of this info i have just typed out here is repetitive, but was just to make sure that we are on the same page here as to where my pc stands at this moment in this process because i could not help but wonder if you had FULLY understood what all processes i have already been through up to this point. i am not questioning you at all, just wanting to make sure that you are aware of what all i have and have not done up to this point because i know you guys / gals deal with alot of problems on here daily. if there is any doubt about anything, i think i have been very detailed in all of the posts within this topic, so you could look back through the entire topic to see what has and has not been done so far. if there is anything that does not make sense or i have not clearly indicated, please advise and i will do my very best to give you whatever info you need to help here.

the short version of what all i've just said / asked is:

#1 - is my pics, documents, files, etc recoverable or not ? if they are possibly recoverable, what should i do ?

#2 - should i go ahead and run the combofix as you suggested ?

sorry for being so long winded, but i'm trying to make sure we are on the same page here. thanks for your help !

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:22 PM

Posted 02 April 2012 - 08:55 AM

it seems as though i have got everything removed and restored. the only downfall to this whole ordeal is that i seem to have lost all pictures, documents, etc


You will have to decide which files you want back.
Try a few pictures you lost, what are the document you want back. Just concentrate on the files you want back.

#1 - is my pics, documents, files, etc recoverable or not ? if they are possibly recoverable, what should i do ?

Trial and error will guide you. Do this immediately. If you create new files and the disk area used by the operating system to save that is the same as a deleted file you will loose that deleted file.
As you have learned the files you have deleted are still on the hard disk. However the space used by the delete file is available to the Operating system and can be used to save any new files you create.

#2 - should i go ahead and run the combofix as you suggested ?
No. This tool install a log of files and will only make your search of deleted file that much harder.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users