Hello, I would like help removing / recovering from "File Restore" attack on a windows 7 PC. Up til now: I logged into the forum and located the removal instructions then I: 1 Restarted in safe mode with networking 2 Installed Malwarebytes 3 Ran malware bytes (log posted below) 4 5 viruses cleaned 5 C:\users contents are still hidden after reboot 6 I ran MBAR which found an MBR problem and several other problems cleaned (log follows) 7 c:\users contents are still hidden and menu items are still missing Please advise me what to do next. Log follow... Thank you for your help! malware bytes log: Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.22.11 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 9.0.8112.16421 Charles :: CHARLES-HP [administrator] 11/22/2012 7:33:51 PM mbam-log-2012-11-22 (19-33-51).txt Scan type: Full scan (C:\|D:\|E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 382609 Time elapsed: 48 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KpRgWGwgHFihvM.exe (Trojan.Agent.RNDGen) -> Data: C:\ProgramData\KpRgWGwgHFihvM.exe -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KriZERI7eeJO3z (Trojan.Agent.RNDGen) -> Data: C:\ProgramData\KriZERI7eeJO3z.exe -> Quarantined and deleted successfully. Registry Data Items Detected: 2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\ProgramData\KpRgWGwgHFihvM.exe (Trojan.Agent.RNDGen) -> Quarantined and deleted successfully. C:\ProgramData\KriZERI7eeJO3z.exe (Trojan.Agent.RNDGen) -> Quarantined and deleted successfully. (end) MBAR log Malwarebytes Anti-Rootkit 1.1.0.1009 www.malwarebytes.org Database version: v2012.11.22.11 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 9.0.8112.16421 Charles :: CHARLES-HP [administrator] 11/22/2012 9:37:02 PM mbar-log-2012-11-22 (21-37-02).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: PUP | PUM | P2P Objects scanned: 27181 Time elapsed: 12 minute(s), 17 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 3 C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\U (Trojan.Siredef.C) -> Delete on reboot. [e89917a24d103105752fbc44f709b050] C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\L (Trojan.Siredef.C) -> Delete on reboot. [cfb26752312c3ff722840ef226da8b75] C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3 (Trojan.Siredef.C) -> Delete on reboot. [6021b702bba21e18f5b290706a96926e] Files Detected: 2 C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Bootkit.TDL4.A.MBR) -> Delete on reboot. [7346058c47e60d7234082187c815788f] C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\@ (Trojan.Siredef.C) -> Delete on reboot. [1a67c2f74c1196a07f224ab6fd03cd33]
