We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help - virus attack has deleted my laptop files!
Options
Comments
-
OK next problem...I thought I had copied all pictures onto external hardrivefrom the computer. the files were showing but looked hazy, but when you opened the file the picture was there....after transferring the pics onto the laptop the EHD is showing no file in each of the picture folders. What the heck is happening now? Any suggestions please?0
-
Malwarebytes didn't get anything important there by the looks of it.
These are my suggestions:
1. Uninstall Java. You can reinstall it another time if you really need it (general advice)
2. Run Re-Enabler http://www.tangosoft.co.uk/re-enable v2.html, and pick all the extra settings from the TOOLS menu- e.g. unhide Drives.
- reset folder/file attributes
- Safemode restore
- Repair desktop
- etc
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O2 - BHO: Online Radio 1.1 Toolbar - {343db173-0e5a-4f2a-b7bb-71a49085d70e} - C:\Program Files (x86)\Online_Radio_1.1\tbOnli.dll
O3 - Toolbar: Online Radio 1.1 Toolbar - {343db173-0e5a-4f2a-b7bb-71a49085d70e} - C:\Program Files (x86)\Online_Radio_1.1\tbOnli.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files (x86)\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
3. Run Combofix, after carefully reading all the instructions http://www.bleepingcomputer.com/combofix/how-to-use-combofix, including turning off your antivirus, and select 'yes' to the recovery console, and let it do it's job. Post the log that comes up in notepad. If it doesn't, it'll be on Drive C as 'combofix.txt'. It'll be long, so can use pastebin.com if you want, or break it up in pieces here.
4. Run CCleaner. A better option is TFC http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
5. Eventually you might want to do Windows Update and get service pack 1. It's not the main issue right now though.
6. Post a new hijackthis log please.0 -
OK next problem...I thought I had copied all pictures onto external hardrivefrom the computer. the files were showing but looked hazy, but when you opened the file the picture was there....after transferring the pics onto the laptop the EHD is showing no file in each of the picture folders. What the heck is happening now? Any suggestions please?
The files looked 'hazy' as this shows their attributes are set to 'Hidden'.
You can't see them on the other computer, because it's not set to view hidden files. Once you set it so you can, then select all the files (can select the folder to be quicker), then RIGHT CLICK, then PROPERTIES, then untick the HIDDEN part and press APPLY or OK.0 -
Tangosoft is giving me a couple of download options? Which one do I go with? Sorry if stupid Q's!! lol
re-enable lite v (773kb) requires microsoft.net
re-enable portable v2 (22.8mb) microsoft.net not required
Re-enable lite installer v2 (1mb) do i need this one as well as one of the 2 above?
Whats the idea of combofix? It looks quite complicated.
Hazy folders....yep they were all ticked as hidden. Sorted and saved on EHD now and working on laptop.0 -
No problem, better you ask than download something random! Especially since malware often sends people in the wrong direction. Version 2 preferably, and it doesn't matter which as long as it works. I'd just grab the portable version myself. Do the TOOLS options first IMO, as the main 'reenable' button wants to restart the computer.
There's a lot going on with Combofix, but it mostly runs itself. It asks you to turn off your security as sometimes the heuristics on programs will try to interfere with some of the operations. After that, just run and it'll do it all itself other than asking one question.0 -
OK cheers will try that now..........dont go far!!
0 -
I forgot to ask, have you tried system restore like I suggested in post 5? It's possible Avast has found everything already.0
-
right......cannot find the items above to be corrected in hijack...I'm copying the log I have, however when i click on the hijackthis icon, i get this warning: for some reason your system denied write access to the Hosts file. If any hijacked domains are in this file Hijack may NOT be able to fix it. It then goes on to say I should edit it myself.....I click ok and heres a copy of the log.....
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:30:45, on 03/07/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal
Running processes:
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {343db173-0e5a-4f2a-b7bb-71a49085d70e} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files (x86)\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files (x86)\Spyware Terminator\sp_rsser.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 6444 bytes0 -
I forgot to ask, have you tried system restore like I suggested in post 5? It's possible Avast has found everything already.
YES I went back a week. Avast full scan did not find anything after downloading and scanning with the malware....do you think I have perhaps already got rid of everything?
the tango v2 programme results:
unhide drivers - none hidden
reset files and folders--scanned and reset 8 folders and 0 files
safemode restore - registry values restored to defaults
repair desktop- no dab desktop registry key found
repair Expl start up probs - success key restored
scan and delete autorrun found 1 file which didnt look to be a virus.
Jezzz I'm certainly getting around this bloody computer and hubby is not getting near it again!!0 -
Oh yes and I've deleted/unintalled java and that radio 1 bar thinngy...both dont get used0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards