Jump to content

Need help removing File Restore attack


Recommended Posts

Hello,

I would like help removing / recovering from "File Restore" attack on a windows 7 PC.

Up til now:

I logged into the forum and located the removal instructions then I:

1 Restarted in safe mode with networking

2 Installed Malwarebytes

3 Ran malware bytes (log posted below)

4 5 viruses cleaned

5 C:\users contents are still hidden after reboot

6 I ran MBAR which found an MBR problem and several other problems cleaned (log follows)

7 c:\users contents are still hidden and menu items are still missing

Please advise me what to do next. Log follow... Thank you for your help!

malware bytes log:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.22.11

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Charles :: CHARLES-HP [administrator]

11/22/2012 7:33:51 PM

mbam-log-2012-11-22 (19-33-51).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 382609

Time elapsed: 48 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KpRgWGwgHFihvM.exe (Trojan.Agent.RNDGen) -> Data: C:\ProgramData\KpRgWGwgHFihvM.exe -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KriZERI7eeJO3z (Trojan.Agent.RNDGen) -> Data: C:\ProgramData\KriZERI7eeJO3z.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\ProgramData\KpRgWGwgHFihvM.exe (Trojan.Agent.RNDGen) -> Quarantined and deleted successfully.

C:\ProgramData\KriZERI7eeJO3z.exe (Trojan.Agent.RNDGen) -> Quarantined and deleted successfully.

(end)

MBAR log

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.22.11

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Charles :: CHARLES-HP [administrator]

11/22/2012 9:37:02 PM

mbar-log-2012-11-22 (21-37-02).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 27181

Time elapsed: 12 minute(s), 17 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 3

C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\U (Trojan.Siredef.C) -> Delete on reboot. [e89917a24d103105752fbc44f709b050]

C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\L (Trojan.Siredef.C) -> Delete on reboot. [cfb26752312c3ff722840ef226da8b75]

C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3 (Trojan.Siredef.C) -> Delete on reboot. [6021b702bba21e18f5b290706a96926e]

Files Detected: 2

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Bootkit.TDL4.A.MBR) -> Delete on reboot. [7346058c47e60d7234082187c815788f]

C:\$Recycle.Bin\S-1-5-21-399829013-930352196-3669436440-1001\$3bfeda295a14ce3cda9571896bacdca3\@ (Trojan.Siredef.C) -> Delete on reboot. [1a67c2f74c1196a07f224ab6fd03cd33]

Link to post
Share on other sites

Hello and welcome to the forum shipbldr2000 :)

Do not run any type of temporary file cleaners as that will most likely prevent us from restoring missing items!

unhide.gif Download unhide.exe to your desktop.

  • Now run unhide.exe by right-mouse clicking it and select "Run as administrator"
  • Be patient as the tool runs.
  • Did this restore the missing (hidden) shortcuts?
  • Attach the unhide.txt file on your desktop.

__

rktigzy.gif Please download RogueKiller to your desktop.

  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run. Right-click winlogon.exe and select "Run as administrator"
  • When it opens, press the Fix Shortcuts button
  • Please attach the latest numbered RKreport.txt from your desktop to your next post.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.