System restore help (Malware)

Discussion in 'Tech Talk' started by Brownmccoy, Apr 8, 2011.

  1. Brownmccoy
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    3,149
    Likes Received:
    25
    Location:
    Halifax, NS, Canada
    Hey guys. Right in the middle of the most hectic part of the year for me, I got some form of malware, which made every one of my startup icons become .EXE files, including the ones in program files. This is a problem, because when I try to launch system restore, it asks what file to open it with. I don't remember what it was called, or how the hell it got on my computer (I haven't downloaded or done anything different on my laptop in months), but I know there are at least 2 different files that have come up on AVG.

    Pretty much, is there any way to use system restore without the item in the start menu? I checked the BIOS and couldn't find anything there. Is the only option a reformat? I"m using Vista 32 (mobile, if that makes any difference).

    Thanks in advance
     
  2. EniGmA1987
    Veteran Staff Member Xenforcer

    Joined:
    Aug 25, 2010
    Messages:
    4,778
    Likes Received:
    34
  3. mebard
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,495
    Likes Received:
    0
    Occupation:
    chef
    Location:
    sherrills ford North carolina
    LOL first thing stop DL porn :) that will solve all your problems :)J/K
     
  4. Brownmccoy
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    3,149
    Likes Received:
    25
    Location:
    Halifax, NS, Canada
    I don't :p

    @Enigma: I was going to use malwarebytes after the system restore. My problem is that if I were to use malwarebytes, all the problems I'm having now will probably still be there (as I don't think it'll restore my startup files), but I'll give it a shot. Thanks for the quick responses

    EDIT: When I try to run file I get C:\Users\Alex\Downloads\mbam-setup.exe application not found. This is what I get every time I try to run something (except firefox for some reason....)
     
  5. mebard
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,495
    Likes Received:
    0
    Occupation:
    chef
    Location:
    sherrills ford North carolina
    I hate to say it but it sounds like you are gona have to reload windows bud me and enigma were talking about that also if you couldnt get anything else to work.
     
  6. Brownmccoy
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    3,149
    Likes Received:
    25
    Location:
    Halifax, NS, Canada
    Yeah, I went to the help desk at DAL and that's what they told me... I could give my laptop to them to fix, but it costs $4... and it'll take about 2 weeks, because there's another virus going around and there are a lot of arts students who don't know how to do anything on a computer other than internet and 'microsoft office'...
     
  7. mebard
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,495
    Likes Received:
    0
    Occupation:
    chef
    Location:
    sherrills ford North carolina


    That really sucks bud i hate having to do things like that its a real pain in the butt. another route you may go if you dont want to do it your self is take it to something like bestbuy or something along those lines.
     
  8. KnowYourFoe
    Veteran

    Joined:
    Oct 12, 2010
    Messages:
    1,058
    Likes Received:
    0
    Location:
    Toronto, Ontario
    Ouch, I got a pretty bad bit of crap just yesterday, but the system restore fixed it all
     
  9. Arimil
    Veteran Admin

    Joined:
    Apr 26, 2010
    Messages:
    2,044
    Likes Received:
    1
    Try running it in safe mode, this makes it so that that it will only load files that are crucial for windows functioning. (thus not running anything that the malware may have put there) However if it did indeed modify windows system files, which is highly unlikely since any file that is required for the functioning of your computer you must restart for the changes to work - this is why windows update restarts your computer, you'll have a huge problem.

    My suggestion to you is run your computer in safe mode do this by repeatedly pressing F8 while your computer boots. Then download a program called hijackthis. If the malware you downloaded is decent by any means it will have injected itself into your web traffic preventing you from going to websites that would help remove it.

    http://free.antivirus.com/hijackthis/

    Run the program and click "do a system scan and save a logfile". Paste all of the info it gives you here and I'll look it over. If possible run this while NOT in safe mode. However a log while in safe mode is still helpful it'll make finding the problem much harder. It honestly sounds to me like they screwed over your registry which is a pain to fix.

    Here's an example log file from my computer.
    Code:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:14:57 AM, on 4/9/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17514)
    Boot mode: Normal
    
    Running processes:
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Program Files (x86)\Lexmark 5000 Series\lxdmamon.exe
    C:\Users\Arimil\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files (x86)\Pidgin\pidgin.exe
    C:\Users\Arimil\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
    C:\putty.exe
    C:\Program Files (x86)\uTorrent\uTorrent.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Nexon\Vindictus\en-US\Vindictus.exe
    C:\Nexon\Vindictus\en-US\NMService.exe
    C:\Users\Arimil\Downloads\HijackThis.exe
    
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [Lexmark 5000 Series] "C:\Program Files (x86)\Lexmark 5000 Series\fm3032.exe" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Arimil\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    O4 - HKCU\..\Run: [NetLimiter] C:\Program Files\NetLimiter 3\NLClientApp.exe /tray
    O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Spark] C:\Program Files (x86)\Spark\Spark.exe
    O4 - HKCU\..\Run: [Pidgin] C:\Program Files (x86)\Pidgin\pidgin.exe
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10n_Plugin.exe -update plugin
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: CurseClientStartup.ccip
    O4 - Startup: Digsby.lnk = C:\Program Files (x86)\Digsby\digsby.exe
    O4 - Startup: Dropbox.lnk = C:\Users\Arimil\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
    O4 - Startup: Xfire.lnk = C:\Program Files (x86)\Xfire\Xfire.exe
    O4 - Global Startup: myRemote Startup.lnk = ?
    O4 - Global Startup: UltraMon.lnk = ?
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
    O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢?OCA・I±×・\) - http://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
    O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://tetris.hangame.com/common/activex/HanSetup1040.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
    O16 - DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} (PubPlugin Class) - http://hancdn.hangame.com/pub/plii/real/PubPlugin.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~1\GO36F4~1.DLL
    O23 - Service: ABBYY FineReader 10 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.10.0) - ABBYY - C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: lxdmCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxdmserv.exe
    O23 - Service: lxdm_device -   - C:\Windows\system32\lxdmcoms.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NetLimiter 3 Service (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 3\nlsvc.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - PowerUp Software, LLC - C:\Program Files (x86)\PowerUp Software\Pinnacle Game Profiler\pinnacle_updater.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    
    --
    End of file - 11516 bytes
    
     
    Last edited: Apr 9, 2011
  10. Rubius
    Veteran Xenforcer

    Joined:
    Jun 22, 2008
    Messages:
    5,043
    Likes Received:
    14
    Occupation:
    Software Engineer
    Location:
    YYZ, Ontario
    If safe mode doesn't work, try this. Upon booting up your PC, press:

    Up, Up, Down, Down, Left, Right, Left, Right, A, B, select, start. It should boot into God mode and clean things up, as well as auto-upgrade your graphics card and processor at no cost to you.
     
  11. ViciousDS
    Member

    Joined:
    Mar 13, 2010
    Messages:
    1,440
    Likes Received:
    0
    malwarebytes in safe mode.......should solve everything its a beast of a program and has been the only one known to stop certain threats.
     
    Last edited: Apr 11, 2011
  12. Sogetsu
    Veteran

    Joined:
    Jul 27, 2009
    Messages:
    7,511
    Likes Received:
    3
    Occupation:
    Logistics
    Location:
    Atlanta, GA
    I love malwarebytes.
     
  13. Kaybek
    Banned

    Joined:
    Jun 24, 2008
    Messages:
    1,447
    Likes Received:
    7
    Occupation:
    Solutions Architect
    Location:
    Texas
    This fixed my system right up and it's now working better than ever! Thanks!
     
  14. Brownmccoy
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    3,149
    Likes Received:
    25
    Location:
    Halifax, NS, Canada
    This just made my night lol.

    I'm going to try malwarebytes in safe mode when I next get a chance (in research paper mode now, and can't justify that kind of time to repair it).
     
  15. Terror Nova
    Veteran

    Joined:
    Jul 21, 2008
    Messages:
    890
    Likes Received:
    1