Recovery of file deleted from Malwarebytes quarantine

[sml280]

Hi

My grandson's windows7 computer was infected by the pceu virus and I was given the job of sorting it. I managed to get it to desktop in safe mode and found Malwarebytes which I ran and it picked up two infections and put them in quarantine, one of them being the pceu trojan. On restarting there was an error message to the effect that 'C:\Users\Sam\wgsdgsdgdsgsd.exe. The module could not be found' and it wouldn't start.

It turned out that this file was the other infected one.

I tried the restore button on the basis that it might start with an infected file that could be sorted later but it wasn't having it. I then thought that if I deleted it I could then restore it from the recycle bin, which I did. But of course it wasn'l in the recycle bin and is lost.

Does anybody know if or how it can be recovered, bearing in mind that there is no internet access. maybe something that could be downloaded to another computer to say an SD card and then hopefully the safe mode desktop would recognise it.

Or am I faced with recovery.

Any comments would be gratefully appreciated before I do any more damage

Mel

.

[MrCharlie]

Welcome to the forum, you don't want to restore that file, it's the virus!!

.......please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[sml280]

hi MrC

Thanks for your response.

My computer skills are limited.

I'm communicating with you on a different computer to the infected one. I can't see how I can download anything to it as it won't get past desktop in safe mode. As far as I'm aware there is no internet access.

Am I missing something?

Mel

[MrCharlie]

OK if you have a good system restore point..this may work:

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Type the word "explorer" in black screen

Step 3: Then Navigate to:

Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

Step 5: Run Malwarebytes

-----------------------------------------

If not you'll have to do this:

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.
     

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

• On the System Recovery Options menu you will get the following options:
  
  • 
    
    • 
      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:
      

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  MrC

[sml280]

Hi

I have got a Farbar notepad file which I am trying to send as a file.1,7kb.but I can't find any way of attaching it in the forum system. I was trying to send it direct to

forums.malwarebytes,org/index.php?showtopic=122416 but google chrome won't recognise it as an address, Any ideas?

Mel

[MrCharlie]

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

[sml280]

hi

Sorry about that . Senility!!

Mel

FRST.txt

[MrCharlie]

Before I continue, let me get the story straight.......

The computer had the virus, you were able to run Malwarebytes and it found that file and quarantined it.

Then after that the computer no longer boots

Is this correct?? MrC

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[sml280]

hi

The computer wouldn't boot with the virus. In safe mode I reached desktop and ran malwarebytes which quarantined 2 files, the virus and a C:\Users file. The reboot failed because the C:\Users file was misssing - see first note. This was now infected and was in quarantine. It was subsequently deleted from the quarantine section

Mel.

[MrCharlie]

OK try the fix and see if it boots... MrC

[sml280]

Hi

Log attached

Computer seems to be fine

Thanks

Mel

Fixlog.txt

[MrCharlie]

Great! You mean I got one right!

Can you find the log from Malwarebytes the shows what was deleted and post it, I would like to see what went wrong.

We need to do some more scans though:

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

[sml280]

Hi

The malwarebytes log has littlle on it recently - the pceu trojan and it also had the C:|Users file which I deleted in error. Incidently, where do files go when they are deleted from quarantine.?

Interesting of you to say download anti rootkit ' if you can ' in the previous email. I had a couple of goes at it but wasn't happy with what I got. There was no regular screen

telling you what was going off as malwarebytes (I don't if it was supposed to do) and I was blind most of the time, so I finished up deleting it. All the things you said to check are fine and I have run a couple of full malwarebytes scans with zero infections, so I am happy.

I'm sorry if some of the answers took some time but not being familiar with windows7 I was downloading your bits with my vista computer, transferring them to the infected computer and then uploading to you on a chromebook which is where the dialogue started out. I'm a 75yr old computer dinosaur no longer familiar with these things. At my age computer/internet requirements are simple and I find the new chromebook copes with them fine.

However, I'm not such a dinosaur as my son in law and grandson who will be getting a dressing down when I give the computer back later today.

e.g. Malwarebytes 7/8/weeks out of date. If it had been current then the infection would probably never have happened since it handled it ok when it was manually activated

The computer was showing no restore points. I don't know why but a periodic check would have highlighted it.

No backups had been made and the computer is 12 + months old.

I may be a dinosaur but even I know a few basics!

Anyway all's well that ends well. Thanks again for all your help and time.

Let me know what you think is fair recompense.

Mel

[MrCharlie]

It's important to run Malwarebytes Anti-Rootkit because the type of malware you had is often bundled with other malware.

But if you don't want to run any more scans.......

Take a look at My Preventive Maintenance to avoid being infected again.

MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!