Root kit virus has deleted my files

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ftlaudmom, Aug 2, 2012.

  1. ftlaudmom

    ftlaudmom Private E-2

    I got a virus that makes my computer appear that all my programs and files are gone. Even in safe mode nothing shows up. Avast still loads and runs and I can see it scanning through the files so I know they're still there but can't access anything. Avast found a root kit virus and I clicked move to chest and it wouldn't work and any other action has the same result. How can I get this out? Thanks for your help.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

    Even if the above restore missing items, it highly recommended to run the below cleaning processs as Unhide is not removing the malware. It is just trying to restore missing items.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide
     
  3. ftlaudmom

    ftlaudmom Private E-2

    Thanks so much. So far so good it seems. I just finished running all the tools you said and hitman found 12 suspicious items which I chose to ignore as instructed. I've attached the logs here so you can take a look before I finish up.
     

    Attached Files:

  4. ftlaudmom

    ftlaudmom Private E-2

    Update: I'm having problems at restart in that I'm getting the blue screen that suggests a corrupt driver. I think it might be the linksys wireless adapter because the blue screen comes up right after the adapter loads in the tray. It doesn't happen when I start in safe mode. I have a few weeks of system restore points so I can do that if I need to but I'll wait until you've had a chance to review my logs. Thanks.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\Documents and Settings\All Users\Application Data\IEEhbDnrDIeqnkP.exe
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "IEEhbDnrDIeqnkP.exe"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}]
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the the log from TDSSkillerlog
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. ftlaudmom

    ftlaudmom Private E-2

    Unfortunately after I sent my last message everything returned to the way it was with all my files missing again and I had to do the entire process all over again. I got back to the point where I was when I last posted but the kapersky thing won't run. I renamed it as instructed and I get an error that it can't run in safe mode. That is the only mode I can get into as it just keeps rebooting over and over if I try to boot up normally. As I said I have a month of system restore so maybe I should try to do that. Suggestions?
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please skip just the part with TDSSKiller and continue with the rest.
     
  8. ftlaudmom

    ftlaudmom Private E-2

    I did the rest and here are the logs. Avast is still finding the rootkit and thinking its deleting it but I know it isn't. Kaspersky still doesn't run and occasionally I get a blue screen on reboot and then the second boot goes through ok. Thanks for your help.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  10. ftlaudmom

    ftlaudmom Private E-2

    I don't have the boot cd and unfortunately the link didn't work for me. When I attempted to run the exe and make the cd I kept getting an error that said it had a failed connection to microsoft. Is there another link that I can try to use to make a boot cd?
     
  11. ftlaudmom

    ftlaudmom Private E-2

    Please disregard the last message - the process is working so I'll proceed with the burn and reply with the results soon.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm still waiting on you. ;)
     
  13. ftlaudmom

    ftlaudmom Private E-2

    Ok I'm back. Sorry for the delay but had a family crisis that took precedent. But I just now followed the instructions and everything booted fine from the windows cd. I'm ready for the next step.

    I have noticed something though that might matter. On the first boot the pc tries to load the wireless device in the tray and then craps out to a blue screen. That is not the normal loading sequence. On second reboot, it loads it last and everything loads fine and then runs ok for a while until I get the notice from Avast that the root kit virus is present.

    Don't know if that is caused by the root kit or not but just thought I'd mention it. Thanks for your patience.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before we can continue, I need to understand what you are talking about here. When you boot from the ARCDC cd, Windows is not loading and thus there is no loading of any wireless drivers. So are you referring to when you are booting your PC into Windows and not when you are booting from the CD I had you create???
     
  15. ftlaudmom

    ftlaudmom Private E-2

    That's correct. It boots fine from the CD. I'm referring to the normal boot process. When I boot from Windows I notice that the first time around the wireless device loads first in the tray, it halts and then goes to a blue screen. Then I shut it down and boot a second time and then it works ok the second time and the wireless device loads last in the tray. That might be a corrupt driver from the virus but once it boots ok I can get online fine so it doesn't appear to be affecting it too much. And I keep trying to run that kaspersky kill app but its still not working.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not be running/doing anything that I do not ask you to do until the cleaning process and final instructions are completed.

    Now we need to remove an infected partition from your harddisk. You will need to make another special boot CD to to this.

    Please download: gparted-live-0.13.1-2.iso (124 MB)
    Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
    If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

    Now boot off of the newly created GParted CD.
    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 2.48 MiB (2.48 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is boot next to your OS drive? According to your logs, your OS drive is the 1.36 TB sized partition.
    [​IMG]
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.


    Now reboot from the WindowsRecovery Console using the ARCDC cd and execute the following commands at the command prompt pressing ENTER after each:
    • fixmbr
    • fixboot
    • exit <<< this will reboot your PC. Remove the CD and boot normal.
    Once back in Windows...
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  17. ftlaudmom

    ftlaudmom Private E-2

    Everything ran just as described and here are the logs. No error on boot and so far no avast report of rootkit.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your MGlogs.zip file is still always coming out incomplete. Are you shutting down Avast before running it? Are you seeing an errors while running it? We need to get a complete log.

    Also why are you running MGtools.exe when I asked you to run C:\MGtools\GetLogs.bat
     
  19. ftlaudmom

    ftlaudmom Private E-2

    I'm sorry I didn't remember to disable Avast but I did run the correct file so I'm not sure why they were incomplete. I deleted all the previous folders and reloaded the mgtools from scratch and ran the runbat again so hopefully this time it will look better. And I disabled avast this time. Thanks for your help and patience.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Looks good now.

    Is everything still working okay?
     
  21. ftlaudmom

    ftlaudmom Private E-2

    Yes so far so good. Should I do anything else now?
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
    And save those two CDs you made. Make sure they are labeled properly. You never know when they could prove useful again.
     
  23. ftlaudmom

    ftlaudmom Private E-2

    All done - thanks so much for your help.
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds