Jump to content

Recommended Posts

Howdy everyone :)

I've been using MalwareBytes occasionally whenever I've gotten a hit in the past with something suspicious. But this one has thrown a mean curve ball at me. This involves the latest attack from the "Data Recovery" virus that hit me while browsing some images on Flickr. It did all that had been reported by others. Disabled nearly everything, hid images and files, made the desktop black with no icons, and ran an unexitable program that did a fake scan with a bunch of fake pop-ups. Here is what I did and where I'm stuck at.

What I did:

1. I tried running Ad-Aware Pro while the malware was running. It didn't find it. So I shut it down and rebooted.

2. Started in Safe Mode + Networking.

3. Went online and began hunting down articles on the malware. Found a good one and followed the steps.

4. Got and ran rKill and CCleaner.

5. Found a bunch of stuff and deleted it.

6. Cleaned the Registry with CC. But I think that may have done some damage since the malware altered the registry. More on this later. I think I still have the backup of it.

7. Rebooted.

8. Downloaded Malwarebytes, updated it, ran it. Found and deleted 4 viruses.

9. Ran CCleaner again and it found 1 more.

10. Rebooted. Ran Unhide.exe. Also ran CMD and used the cd\ attrib -h -s *.* /s /d to unhide everything.

11. Downloaded TDSSKiller, ran it, found more and deleted.

12. Downloaded RogueKiller based on advice from an article that suggested that getting kicked from explorer while in safe mode is a sign of a rogueware.

13. Ran RogueKiller and followed the steps from another forum. Will be posting it here for your review.

14. RogueKiller found no bad processes (Thank God!) but found 8 registry entries.

Now where I'm stuck at:

1. I still have no desktop icons and can't right click on the desktop (anywhere). This might still be from the rogues. Administrator can still right click on desktop and icons show up. But only in safe mode where Admin is accessible.

2. Security Automatic Updates do not work. It is set for automatic updates. But a check on services.msc via the start>run shows no entry where the Automatic Updates should be. So a rogue or registry error might be present. Trying to turn it on gives an error message that reads something like "Were Sorry. The Security Center could not change your Automatic Updates setting...".

3. Certain programs do not run like flash games (Transformice.exe does not work).

4. I have unhidden files that were meant to remain hidden... I am worried that the unhidden files on my system present a big opening for attacks.

5. My DVD/CD Rom does not work. I suspect that when I ran CCleaner, It may have deleted the registry entry. It is no longer detected upon booting and will not open. Can't run XP Restore. Note I had removed it for awhile because I needed to place a cooling fan over the hard drive as it was oveheating. After running CCleaner was when I attached the drive in an attempt to restore any registry damage.

Here is the log for RogueKiller:

RogueKiller V5.3.4 [08/30/2011] by Tigzy

contact at http://www.sur-la-toile.com

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Junior [Admin rights]

Mode: Scan -- Date : 09/20/2011 22:24:09

Bad processes: 0

Registry Entries: 8

[sUSP PATH] HKCU\[...]\Run : avbhhfRgwD.exe (C:\Documents and Settings\All Users\Application Data\avbhhfRgwD.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-2266275541-1996528729-1244322346-1006[...]\Run : avbhhfRgwD.exe (C:\Documents and Settings\All Users\Application Data\avbhhfRgwD.exe) -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> FOUND

[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND

[HJ] HKCU\[...]\ActiveDesktop : NoChangingWallPaper (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\Junior\Local Settings\Application Data\lut.exe" -a "%1" %*) -> FOUND

[FILEASSO] HKCR\[...].exe\shell\open\command : ("C:\Documents and Settings\Junior\Local Settings\Application Data\lut.exe" -a "%1" %*) -> FOUND

Particular Files / Folders:

HOSTS File:

127.0.0.1 localhost

Finished : << RKreport[1].txt >>

RKreport[1].txt

Thanks in advance for any help you can provide.

Link to post
Share on other sites

  • 2 weeks later...

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

I have a similar problem... Data Restore hit my machine... I ran RKill.. then TDSKILLER after renaming it(found 1 item and 'cured' it), then ran Malwarebytes latest level... rebooted and Data Restore was back in full swing.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.