1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

My documents folder content removed, harddisk problem etc. Headache virus..

Discussion in 'Virus & Other Malware Removal' started by kjeffiE, Dec 25, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. kjeffiE

    kjeffiE Thread Starter

    Joined:
    Mar 13, 2010
    Messages:
    12
    Hello. Approx two hours ago I was watching some google pictures. After clicking one of them, I noticed the Java-program/script or something ran for two seconds. I thought it was harmless.A few minutes later I was going to find something in my documents folder, where I noticed every file was gone from the folder. The files were showed on Windows/Start->All programs-> and I could see the files where you can usually start programs. The were also some scanner icon to left, not normal ones. It was definetely new icons, that look like all other virus ikons. Also I couldnt open programs as far as I can remember, but somehow I managed to open taskmanagr, but not the original but processexplorer or something(I've had a virus before, where I tas told to download that program from this site). I exited those progresses that I knew were the suspicious ones. After a while, trying to check up on internet my computer shut down itself. I ran it in safemode afterwards, running Malwarebytes program, cant remember full name but I got it from here. There were zero infections. Afterwards I could actually use ad-aware, I ran a scan, deleted two infections and went to safemode again. I tried hijackthis at first, but I was told I "administrator has set the system settings that prevent this installation" or something like that. I'm norwegian so sorry for the bad translation. I got it to work by saving it to the desktop. Here is the log, I still haven't shutdown computer after running hijackthis.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 23:09:17, on 25.12.2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programfiler\LogMeIn Hamachi\hamachi-2.exe
    C:\Programfiler\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Documents and Settings\Administrator.FINTLANDKJEFFIE.000\Mine dokumenter\Nedlastinger\MsnVirRem.exe
    C:\Programfiler\Mozilla Firefox\firefox.exe
    C:\Programfiler\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\Administrator.FINTLANDKJEFFIE.000\Mine dokumenter\Nedlastinger\HijackThis.exe
    C:\WINDOWS\system32\verclsid.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: SuggestMeYesBHO - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Programfiler\AutocompletePro\AutocompletePro.dll
    O2 - BHO: flvdome - {16f470fc-a592-d883-a907-dfd024412ee1} - C:\WINDOWS\system32\x0xmnyet524LL.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programfiler\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [DeathAdder] C:\Programfiler\Razer\DeathAdder\razerhid.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programfiler\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Programfiler\Fellesfiler\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [UpdateReminder] C:\Programfiler\Eset\UpdateReminder.exe
    O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Programfiler\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
    O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Programfiler\Fellesfiler\Ahead\Lib\NMFirstStart.exe
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Programfiler\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programfiler\Fellesfiler\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Programfiler\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programfiler\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

    --
    End of file - 5706 bytes





    Not the perfect Christmas day I wanted..
     
  2. kjeffiE

    kjeffiE Thread Starter

    Joined:
    Mar 13, 2010
    Messages:
    12
    I'm also curious how I will recover the files from my documents as I can now remember they were gone from Start-All programs (plus recycle bin) too?
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,173
    First Name:
    Derek
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully

    Download ComboFix from Here or Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues
     
  4. kjeffiE

    kjeffiE Thread Starter

    Joined:
    Mar 13, 2010
    Messages:
    12
    I fixed the issue by searching, found another similar thread here. I used a program, cant remember the name to "stop" all spyware/trojans etc, it was a program that scanned for approx 2 minutes, like a CMD vindow. Then I used antimalware bytes, full scan while asleep. 12 infections, cured it all. Thanks for your help though!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/970596

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice