Author Topic: File Recovery Virus Problem  (Read 23151 times)

0 Members and 1 Guest are viewing this topic.

brmeau

  • Guest
File Recovery Virus Problem
« on: September 02, 2012, 02:33:00 AM »
I have been infected with the File Recovery Virus and it has locked me out of internet explorer as well as taken control of my desktop screen/programs.  I have found a recent article with removal guidelines for this virus but wanted to go through this channel first since I am unfamiliar with the individual who wrote the "removal guide" for this virus.  The following link is what I found...http://pcinfected.com/file-recovery-removal-guide/

I would appreciate any help or suggestions.  Thank you.

true indian

  • Guest
Re: File Recovery Virus Problem
« Reply #1 on: September 02, 2012, 11:55:07 AM »
follow this guide: http://forum.avast.com/index.php?topic=53253.0

attach all logs here..

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #2 on: September 02, 2012, 12:12:17 PM »
Use RogueKiller as the first programme and do not empty any temporary files yet

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #3 on: September 02, 2012, 12:40:15 PM »
All of my desktop icons/system tray are missing from the system.  The only folders that appear on the desktop are Recycle Bin and the folder for this "File Recovery" virus.  I have booted up in safe mode with networking but can't figure out how to access internet to be able to download your fixes.  Any way to access internet on this system?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #4 on: September 02, 2012, 12:42:45 PM »
From the blank desktop press the windows key + R
This should open a run Dialogue
Type in Iexplorer.exe
And IE should open

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #5 on: September 02, 2012, 12:46:38 PM »
Tried and it says that windows can't find iexplorer.exe.

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #6 on: September 02, 2012, 02:14:42 PM »
Still could not access iexplorer but was able to access internet by listing program files and choosing AOL to gain internet access.

Proceeding with prior instructions now.

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #7 on: September 02, 2012, 03:21:43 PM »
RogueKiller logs attached.

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #8 on: September 02, 2012, 03:26:16 PM »
OTL logs attached. MBAM pasted below.   I downloaded aswMBR twice but the file would not run.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.03

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
PL :: HARKINS-PC [administrator]

9/2/2012 8:05:09 AM
mbam-log-2012-09-02 (08-05-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202159
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 28
HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.dskBnd (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\f (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods (PUP.Funmoods) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Funmoods\1.5.23.22 (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\bh (PUP.Funmoods) -> Quarantined and deleted successfully.

Files Detected: 14
C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escorTlbr.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortApp.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortEng.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\ProgramData\ACqX9RnkWbItFO.exe (Trojan.Killav) -> Quarantined and deleted successfully.
C:\ProgramData\KbTTesIdWitxJO.exe (Trojan.Killav) -> Quarantined and deleted successfully.
C:\Users\PL\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\PL\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\PL\AppData\Local\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\PL\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortShld.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\FavIcon.ico (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\uninstall.exe (PUP.Funmoods) -> Quarantined and deleted successfully.

(end)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #9 on: September 02, 2012, 03:27:46 PM »
OK you should have the desktop and icons back now.  While I look at the logs :

RogueKiller is showing a bad partition which we will need to kill next

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB) 

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.
 
You should be here... Press ENTER



By default, "do not touch keymap" is highlighted.



 Leave this setting alone and just press ENTER.



Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0,  press ENTER 

You will now be taken to the main GUI screen below



According to your logs, the partition that you want to delete is <1 MB

Right click this partition and select delete .



The Partition has gone

Now select Apply

Now you should be here:



Select Apply after double checking that the right partition was deleted

Is "boot" next to your OS drive? 
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags 


In the menu that pops up, place a checkmark in boot like the picture below, then close :

 


Under File select Quit


You will see this small Popup




Choose reboot and then press OK.

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #10 on: September 02, 2012, 04:36:44 PM »
I have gone through the process booting by cd and got down to exit after managing files....the next box that you choose to reboot does not appear and the computer is locked up at the main vmware player screen.

Not sure what to do?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #11 on: September 02, 2012, 04:52:42 PM »
Could you click exit ..  If you achieved the close part after managing flags then that part should now be complete


Otherwise reboot the computer

Then in normal windows try aswMBR

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #12 on: September 02, 2012, 05:04:33 PM »
I clicked Quit under the Gparted tab just as the diagram showed and then the next box that was supposed to come up for Exit/Reboot never appeared and the system froze at the main window.  I have removed the bootable cd and tried a reboot but getting error message that BOOTMGR is missing and to restart but keeps going back to this point.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #13 on: September 02, 2012, 06:10:52 PM »
OK reboot from Gparted disc

Then follow the steps as before :

From the manage flags portion

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #14 on: September 02, 2012, 07:18:41 PM »
I tried again...same as in Reply #12.  The exit/Reboot window is not coming up and the system is frozen at the main gparted screen.