It is currently Sat Oct 21, 2017 11:24 am


missing personal items ?

Is your PC infected? Is it running slow? Just can't figure out what's making it sluggish? Here is the place to get some help.

Moderators: liljim, Gecko

missing personal items ?

Postby ctjonb » Tue Mar 11, 2014 4:21 am

Hello all I have a weird problem, my computer lost all of its personal files such as pics music everything I ever put in pc minus actual programs ? also any spyware programs like avg malewarebytes combofic cannot run. either gets a runtime error or says needs to be admin but that user does have admin rights.
however I do not have that issue with nay of the other users,

here is the combofix log from a diff user on laptop that I could run combofix

ComboFix 14-03-05.01 - New 03/09/2014 15:35:00.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.791 [GMT -4:00]
Running from: c:\documents and settings\New\My Documents\Downloads\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2014-02-09 to 2014-03-09 )))))))))))))))))))))))))))))))
.
.
2014-03-09 19:07 . 2014-03-09 19:07 -------- d-----w- c:\documents and settings\New
2014-03-09 18:09 . 2014-03-09 18:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2014-03-09 17:02 . 2014-03-09 17:02 -------- d-----w- c:\documents and settings\TEMP
2014-03-08 22:22 . 2014-03-08 22:23 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-04 00:02 . 2012-10-02 01:05 42784 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2014-02-22 06:12 . 2012-08-23 23:52 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-22 06:12 . 2011-08-28 05:03 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-20 02:46 . 2012-08-10 08:52 22808 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2014-01-22 4962320]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2014-03-04 2539544]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-02 18:05 946352 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-12-19 14:39 41208 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-14 00:51 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-08-13 06:05 122939 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-26 13:04 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-11-02 05:29 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 08:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-04-18 12:56 273544 -c--a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"vToolbarUpdater13.2.0"=2 (0x2)
"MDM"=2 (0x2)
"Bonjour Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [9/17/2012 6:58 PM 149272]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [8/9/2012 1:56 PM 222520]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [8/10/2012 4:52 AM 27448]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [8/1/2013 4:06 PM 120600]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [8/13/2012 4:40 PM 210712]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [8/10/2012 4:52 AM 22808]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/12/2012 11:47 AM 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/12/2012 11:47 AM 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [10/1/2012 9:05 PM 42784]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [9/24/2013 2:33 AM 348008]
R2 vToolbarUpdater18.0.0;vToolbarUpdater18.0.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [3/3/2014 8:02 PM 1759768]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/26/2011 5:22 PM 88192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [1/22/2014 1:19 PM 3788816]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/25/2012 6:30 PM 18432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-04 23:44 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-23 06:12]
.
2014-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2014-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-06 00:23]
.
2014-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-06 00:23]
.
2014-03-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1482476501-1708537768-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2014-03-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1482476501-1708537768-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\18.0.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\TEMP.DDB16F34965D4B7\Application Data\Mozilla\Firefox\Profiles\mds9jdx5.default\
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
Toolbar-10 - (no file)
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
HKLM-Run-ROC_ROC_NT - c:\program files\AVG Secure Search\ROC_ROC_NT.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-09 15:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-03-09 15:43:40
ComboFix-quarantined-files.txt 2014-03-09 19:43
.
Pre-Run: 23,846,887,424 bytes free
Post-Run: 23,800,434,688 bytes free
.
- - End Of File - - 006D38D2F6688A60791E60D5BCB9BCC5
8F558EB6672622401DA993E1E865C861
ctjonb
Geek in Training
Geek in Training
 
Posts: 26
Joined: Tue Sep 14, 2010 3:00 am

Thanks given:0
Thanks received:0
Top

Re: missing personal items ?

Postby ctjonb » Tue Mar 11, 2014 4:32 am

heres root kit

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/10/2014 11:26:03 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com

20 out of 15331 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 03/10/2014 11:30:07 PM
Execution time: 0 hours(s), 4 minute(s), and 4 seconds(s)
ctjonb
Geek in Training
Geek in Training
 
Posts: 26
Joined: Tue Sep 14, 2010 3:00 am

Thanks given:0
Thanks received:0
Top

Re: missing personal items ?

Postby Gecko » Tue Mar 11, 2014 1:37 pm

ctjonb,

I don't see anything bad in either log but that does not mean that your old user is not compromised.

Have you checked to see if the user files that you say are missing are actually missing?
They should be located at C:\Documents and Settings\(old-user-name)\My Documents

Have you tried a system restore point?
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: missing personal items ?

Postby ctjonb » Wed Mar 12, 2014 12:53 am

thanks for the reply
yes i did the whole folder is empty,
also I did try a sys restore and nothing changed,
ctjonb
Geek in Training
Geek in Training
 
Posts: 26
Joined: Tue Sep 14, 2010 3:00 am

Thanks given:0
Thanks received:0
Top

Re: missing personal items ?

Postby Gecko » Wed Mar 12, 2014 3:13 pm

ctjonb,

I'm sorry but other than checking the recycle bin or an earlier system restore point, it would seem that the files may not be recoverable.:(
You could also check all the other user accounts to see if maybe your files are there.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: missing personal items ?

Postby ctjonb » Thu Mar 13, 2014 9:13 pm

Thank you for the help I appriciate it
john
ctjonb
Geek in Training
Geek in Training
 
Posts: 26
Joined: Tue Sep 14, 2010 3:00 am

Thanks given:0
Thanks received:0
Top


Return to Malware Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron