shipbldr2000
-
Posts
1 -
Joined
-
Last visited
This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
Need help removing File Restore attack
in Resolved Malware Removal Logs
Posted
Hello,
I would like help removing / recovering from "File Restore" attack on a windows 7 PC.
Up til now:
I logged into the forum and located the removal instructions then I:
1 Restarted in safe mode with networking
2 Installed Malwarebytes
3 Ran malware bytes (log posted below)
4 5 viruses cleaned
5 C:\users contents are still hidden after reboot
6 I ran MBAR which found an MBR problem and several other problems cleaned (log follows)
7 c:\users contents are still hidden and menu items are still missing
Please advise me what to do next. Log follow... Thank you for your help!
malware bytes log:
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.22.11
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Charles :: CHARLES-HP [administrator]
11/22/2012 7:33:51 PM
mbam-log-2012-11-22 (19-33-51).txt
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 382609
Time elapsed: 48 minute(s), 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KpRgWGwgHFihvM.exe (Trojan.Agent.RNDGen) -> Data: C:\ProgramData\KpRgWGwgHFihvM.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KriZERI7eeJO3z (Trojan.Agent.RNDGen) -> Data: C:\ProgramData\KriZERI7eeJO3z.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\ProgramData\KpRgWGwgHFihvM.exe (Trojan.Agent.RNDGen) -> Quarantined and deleted successfully.
C:\ProgramData\KriZERI7eeJO3z.exe (Trojan.Agent.RNDGen) -> Quarantined and deleted successfully.
(end)
MBAR log
Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org
Database version: v2012.11.22.11
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Charles :: CHARLES-HP [administrator]
11/22/2012 9:37:02 PM
mbar-log-2012-11-22 (21-37-02).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27181
Time elapsed: 12 minute(s), 17 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 3
C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\U (Trojan.Siredef.C) -> Delete on reboot. [e89917a24d103105752fbc44f709b050]
C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\L (Trojan.Siredef.C) -> Delete on reboot. [cfb26752312c3ff722840ef226da8b75]
C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3 (Trojan.Siredef.C) -> Delete on reboot. [6021b702bba21e18f5b290706a96926e]
Files Detected: 2
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Bootkit.TDL4.A.MBR) -> Delete on reboot. [7346058c47e60d7234082187c815788f]
C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\@ (Trojan.Siredef.C) -> Delete on reboot. [1a67c2f74c1196a07f224ab6fd03cd33]