Malware read me done documents still hidden

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tnikki, Jul 28, 2011.

  1. tnikki

    tnikki Private E-2

    I was on the internet and I started to get the fake microsoft virus download. I did a system restore in order to be able to clean my computer and it made my favorites on ie disappear and also my documents and pictures were hidden. I have done the malware read me scans. Also my documents and pictures are back but they are greyed over as if still hidden. I am going to attach the files in hope that if there is something else on my computer that it can be removed as well. Also when I did the MG tools when I did the download it did not do anything other than put the folder on my c drive. On the instructions it said that it would start by itself but it did not do anything, so to not make things worse I left it as is. Thanks for any help
     

    Attached Files:

    tnikki, Jul 28, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it. Now see if you can find the items that seemed to be missing?

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.
    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
     
    TimW, Jul 28, 2011
    #2
  3. tnikki

    tnikki Private E-2

    Thanks for replying!

    Grinler : This made the folders appear but the are still shaded to show that they might still be hidden. You can click on them and see the pics and hear the music on the music files. But the thumbnails are what are shaded.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools> I tried this and nothing happened.

    GetRunKey Tried this just in case and it said The system cannot find path specified

    Same with ShowNew I saved the MGtools.exe to C:drive and then the folder downloaded into C: drive does this need to be somewhere else. All is does is a quick black window that pops up for less than a second, then nothing.
     
    tnikki, Jul 28, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:



    Now tell me if this folder C:\Users\user_name\AppData\Local\Temp\smtmp exist...

    Download OTL to your desktop.


    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    TimW, Jul 28, 2011
    #4
  5. tnikki

    tnikki Private E-2

    I ran the accrestore and the files are still shaded. I am not too good with the computer so I looked for the file you mentioned C:\Users\user_name\AppData\Local\Temp\smtmp could not find it with that path. I used search for the name smtmp and nothing came up. I ran the OTL, results are attached. Thanks!
     

    Attached Files:

    tnikki, Jul 28, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs indicate you may have Kaspersky installed, as well as AVG. Is this right?

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
C:\Documents and Settings\Owner\Local Settings\Application Data\fbqvkjri7s8e0w8k8uvp2lyp08j
C:\Documents and Settings\All Users\Application Data\fbqvkjri7s8e0w8k8uvp2lyp08j
C:\Documents and Settings\Owner\Local Settings\Application Data\kqxjax25212syk721811b172n8n71yg66c
C:\Documents and Settings\All Users\Application Data\kqxjax25212syk721811b172n8n71yg66c
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now make sure Kaspersky is removed and try to run MGTools again.
    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
    • C:\Combofix.txt

    Make sure you tell me how things are working now!
     
    TimW, Jul 28, 2011
    #6
  7. tnikki

    tnikki Private E-2

    I have not yet ran the combo fix. Just in case this might change what you want me to do. I wanted to note that I don't have nor do I know what the Kaspersky item is that you posted. I did have AVG at one time but it overloaded my processes by running 26 extra ones at a time, so I removed it (by add/remove) from my computer. So if you would still like me to do what you posted earlier I will. I won't be able to do the deleting of Kaspersky in order to run the MGtools. Sorry if this has wasted time, I just wanted to make sure of this before beginning.
     
    tnikki, Jul 28, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That's fine. We can remove the one instance of Kaspersky later. I am most interested in having you do the fix and then see if MGTools will run.
     
    TimW, Jul 29, 2011
    #8
  9. tnikki

    tnikki Private E-2

    I did the things you asked on previous post. Only issue I ran into was on MGtools after the hijack this agreement, (answered I agree) it ran for a second and an error message popped up

    ProcessDll.exe
    This application failed to initialize properly (0xc0000135). Click ok to terminate

    I clicked ok and then the scan finished and pulled up log.

    Added are logs you requested. Thank you for your time.
     

    Attached Files:

    tnikki, Jul 29, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looking better. Now see if you can find this folder:
    C:\Users\owner\AppData\Local\Temp\smtmp

    Now let's use ComboFix once more.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\Owner\Templates\fbqvkjri7s8e0w8k8uvp2lyp08j
C:\Documents and Settings\Owner\Templates\kqxjax25212syk721811b172n8n71yg66c
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    You can try doing the manual restore of files by following the instructions on this site:
    http://www.smartestcomputing.us.com...iles-hiddendeleted-by-windows-recovery-virus/

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jul 29, 2011
    #10
  11. tnikki

    tnikki Private E-2

    Yeah! Most of my files are back! I ran the ComboFix, file is below. I ran the unhide.exe again, and after that I can now see my photos, music files and my ie favorites are back, yea! :)

    I ran the C:\MGtools\GetLogs.bat file again. I received the same error message as last time. Supposed to happen?

    Now for the C:\Users\owner\AppData\Local\Temp\smtmp file
    I have looked EVERYWHERE for this. I did a windows search and only came up something when I looked in hidden files for smtmp. There were logs from Advanced System Care 4. The only other place it said it was in was a MS-DOS Batch File, and that folder that it is in the C:\System Volume Information\Restore which is still hidden. There were a total of six files named in that folder. Let me know if you need me to do anything else.

    Thanks!
     

    Attached Files:

    tnikki, Jul 29, 2011
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If all your files are back, then we are done. Any folders in your start menu that are empty may require you to reinstall the software.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Jul 29, 2011
    #12
  13. tnikki

    tnikki Private E-2

    Not ALL of my files and folders are back. A few are still greyed over as if hidden. If those are not able to be brought back all together is there a way to do it one by one? If not then I can just follow the rest of what you have posted last. I thank you so much for your help with everything!
     
    tnikki, Jul 29, 2011
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    See if you can do the manual restore that I gave you the link to a couple of replies back. Let me know how you make out.
     
    TimW, Jul 30, 2011
    #14
  15. tnikki

    tnikki Private E-2

    I did the manual restore for files after I posted my last reply to you. It did not change any of the few that are left. For now I will just follow through with the clean up process that you posted and then worry about the few that are still hidden when I am done. Thanks so much for your help TimW with everything I really appreciate it. My computer has been working so much better!
     
    tnikki, Jul 30, 2011
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know, and you are most welcome. Safe surfing. :)
     
    TimW, Jul 30, 2011
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds