Root kit virus has deleted my files

[ftlaudmom]

I got a virus that makes my computer appear that all my programs and files are gone. Even in safe mode nothing shows up. Avast still loads and runs and I can see it scanning through the files so I know they're still there but can't access anything. Avast found a root kit virus and I clicked move to chest and it wouldn't work and any other action has the same result. How can I get this out? Thanks for your help.

[chaslang]

Welcome to Major Geeks!

Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

Even if the above restore missing items, it highly recommended to run the below cleaning processs as Unhide is not removing the malware. It is just trying to restore missing items.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

[ftlaudmom]

Thanks so much. So far so good it seems. I just finished running all the tools you said and hitman found 12 suspicious items which I chose to ignore as instructed. I've attached the logs here so you can take a look before I finish up.

[ftlaudmom]

Update: I'm having problems at restart in that I'm getting the blue screen that suggests a corrupt driver. I think it might be the linksys wireless adapter because the blue screen comes up right after the adapter loads in the tray. It doesn't happen when I start in safe mode. I have a few weeks of system restore points so I can do that if I need to but I'll wait until you've had a chance to review my logs. Thanks.

[chaslang]

You're welcome.



Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Documents and Settings\All Users\Application Data\IEEhbDnrDIeqnkP.exe
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"IEEhbDnrDIeqnkP.exe"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the the log from TDSSkillerlog
• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[ftlaudmom]

Unfortunately after I sent my last message everything returned to the way it was with all my files missing again and I had to do the entire process all over again. I got back to the point where I was when I last posted but the kapersky thing won't run. I renamed it as instructed and I get an error that it can't run in safe mode. That is the only mode I can get into as it just keeps rebooting over and over if I try to boot up normally. As I said I have a month of system restore so maybe I should try to do that. Suggestions?

[chaslang]

Please skip just the part with TDSSKiller and continue with the rest.

[ftlaudmom]

I did the rest and here are the logs. Avast is still finding the rootkit and thinking its deleting it but I know it isn't. Kaspersky still doesn't run and occasionally I get a blue screen on reboot and then the second boot goes through ok. Thanks for your help.

[chaslang]

Do you have your Windows XP boot CD? If not, try making the below CD and test to see if you can boot into the Recovery Console with it. This is just a test at this point.

Using ARCDC to get the Recovery Console Command Prompt

[ftlaudmom]

I don't have the boot cd and unfortunately the link didn't work for me. When I attempted to run the exe and make the cd I kept getting an error that said it had a failed connection to microsoft. Is there another link that I can try to use to make a boot cd?

[ftlaudmom]

Please disregard the last message - the process is working so I'll proceed with the burn and reply with the results soon.

[chaslang]

Quote:

Originally Posted by ftlaudmom

so I'll proceed with the burn and reply with the results soon.

I'm still waiting on you.

[ftlaudmom]

Ok I'm back. Sorry for the delay but had a family crisis that took precedent. But I just now followed the instructions and everything booted fine from the windows cd. I'm ready for the next step.

I have noticed something though that might matter. On the first boot the pc tries to load the wireless device in the tray and then craps out to a blue screen. That is not the normal loading sequence. On second reboot, it loads it last and everything loads fine and then runs ok for a while until I get the notice from Avast that the root kit virus is present.

Don't know if that is caused by the root kit or not but just thought I'd mention it. Thanks for your patience.

[chaslang]

Quote:

Originally Posted by ftlaudmom

I have noticed something though that might matter. On the first boot the pc tries to load the wireless device in the tray and then craps out to a blue screen. That is not the normal loading sequence. On second reboot, it loads it last and everything loads fine and then runs ok for a while until I get the notice from Avast that the root kit virus is present.

Before we can continue, I need to understand what you are talking about here. When you boot from the ARCDC cd, Windows is not loading and thus there is no loading of any wireless drivers. So are you referring to when you are booting your PC into Windows and not when you are booting from the CD I had you create???

[ftlaudmom]

That's correct. It boots fine from the CD. I'm referring to the normal boot process. When I boot from Windows I notice that the first time around the wireless device loads first in the tray, it halts and then goes to a blue screen. Then I shut it down and boot a second time and then it works ok the second time and the wireless device loads last in the tray. That might be a corrupt driver from the virus but once it boots ok I can get online fine so it doesn't appear to be affecting it too much. And I keep trying to run that kaspersky kill app but its still not working.

[chaslang]

Quote:

Originally Posted by ftlaudmom

And I keep trying to run that kaspersky kill app but its still not working.

You should not be running/doing anything that I do not ask you to do until the cleaning process and final instructions are completed.

Now we need to remove an infected partition from your harddisk. You will need to make another special boot CD to to this.

Please download: gparted-live-0.13.1-2.iso (124 MB)
Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

You should be here...
Press ENTER

By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 2.48 MiB (2.48 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:

Now you should be here:

Is boot next to your OS drive? According to your logs, your OS drive is the 1.36 TB sized partition.

If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

Now press the Close button to save these changes.
Now double-click the button.
You should receive a small pop up like this:

Choose reboot and then press OK.


Now reboot from the WindowsRecovery Console using the ARCDC cd and execute the following commands at the command prompt pressing ENTER after each:

• fixmbr
• fixboot
• exit <<< this will reboot your PC. Remove the CD and boot normal.

Once back in Windows...
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[ftlaudmom]

Everything ran just as described and here are the logs. No error on boot and so far no avast report of rootkit.

[chaslang]

Your MGlogs.zip file is still always coming out incomplete. Are you shutting down Avast before running it? Are you seeing an errors while running it? We need to get a complete log.

Also why are you running MGtools.exe when I asked you to run C:\MGtools\GetLogs.bat

[ftlaudmom]

I'm sorry I didn't remember to disable Avast but I did run the correct file so I'm not sure why they were incomplete. I deleted all the previous folders and reloaded the mgtools from scratch and ran the runbat again so hopefully this time it will look better. And I disabled avast this time. Thanks for your help and patience.

[chaslang]

You're welcome. Looks good now.

Is everything still working okay?