file-recovery-software infection

Hi,
I got infected yesterday by file recovery.
I did follow the steps in the "Logs to assist in cleaning malware "topic
I dont have internet access on the PC.
I did download roguekiller and run it as described in the 3 steps
here are the 3 log files:
RogueKiller V8.0.3 [13/09/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Armelle [Admin rights]
Mode : Scan – Date : 17/09/2012 12:41:09

¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe – C:\Windows\SysWOW64\svchost.exe → KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU[…]\Run : noikOKLwrXrkl.exe (C:\ProgramData\noikOKLwrXrkl.exe) → FOUND
[RUN][SUSP PATH] HKCU[…]\Run : enapcvuh (“C:\Users\Armelle\AppData\Local\osppuhxr.exe”) → FOUND
[RUN][SUSP PATH] HKCU[…]\Run : pK7JbaG9geJhO5 (C:\ProgramData\pK7JbaG9geJhO5.exe) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1539493207-1264017170-1549233232-1002[…]\Run : noikOKLwrXrkl.exe (C:\ProgramData\noikOKLwrXrkl.exe) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1539493207-1264017170-1549233232-1002[…]\Run : enapcvuh (“C:\Users\Armelle\AppData\Local\osppuhxr.exe”) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1539493207-1264017170-1549233232-1002[…]\Run : pK7JbaG9geJhO5 (C:\ProgramData\pK7JbaG9geJhO5.exe) → FOUND
[HJPOL] HKCU[…]\System : DisableTaskMgr (0) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
— User —
[MBR] 00f8a596e6ebedecb892419cc8d5372b
[BSP] ddfbabad535980246a7a5b1cda6bc1de : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 692706 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1419071488 | Size: 22395 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: SDHC Card +++++
— User —
[MBR] 8a4a3f84a9eda68451f8bdccda84c484
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

report 2
RogueKiller V8.0.3 [13/09/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Armelle [Admin rights]
Mode : Remove – Date : 17/09/2012 12:42:17

¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe – C:\Windows\SysWOW64\svchost.exe → KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU[…]\Run : noikOKLwrXrkl.exe (C:\ProgramData\noikOKLwrXrkl.exe) → DELETED
[RUN][SUSP PATH] HKCU[…]\Run : enapcvuh (“C:\Users\Armelle\AppData\Local\osppuhxr.exe”) → DELETED
[RUN][SUSP PATH] HKCU[…]\Run : pK7JbaG9geJhO5 (C:\ProgramData\pK7JbaG9geJhO5.exe) → DELETED
[HJPOL] HKCU[…]\System : DisableTaskMgr (0) → DELETED
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST750LX003-1AC154 +++++
— User —
[MBR] 00f8a596e6ebedecb892419cc8d5372b
[BSP] ddfbabad535980246a7a5b1cda6bc1de : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 692706 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1419071488 | Size: 22395 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: SDHC Card +++++
— User —
[MBR] 8a4a3f84a9eda68451f8bdccda84c484
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

report 3

RogueKiller V8.0.3 [13/09/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Armelle [Admin rights]
Mode : Shortcuts HJfix – Date : 17/09/2012 12:44:08

¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe – C:\Windows\SysWOW64\svchost.exe → KILLED [TermProc]

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 59318 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 122 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 10576 / Fail 0
Backup: [FOUND] Success 0 / Fail 0 / Exists 0

Drives:
[C:] \Device\HarddiskVolume2 – 0x3 → Restored
[D:] \Device\HarddiskVolume3 – 0x3 → Restored
[E:] \Device\CdRom0 – 0x5 → Skipped
[F:] \Device\HarddiskVolume5 – 0x2 → Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

After my icons are back on the desktop and I do have access to the programs. But I still dont have access to Internet. I tried the program FSS.exe but I get the following error : AutoIt error line 3034 (file c:\users…FSS.exe) Error: The requested action with this object has failed.

What should I do now?
Thanks

  1. Run a bootscan with avast
  2. Run Malwarebytes
    That should fix things.

Could you run OTL as that looks at the same services as FSS

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
%systemdrive%$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

I did the 2 procedures
the boot scan found some very old corrupted files, nothing new.
The MawareBytes did not find any thing.
But when I reboot I got a message telling I do have an error on my HDD (301) and invited me to use HP HDD test which I did.
I got the message Hard Disk SMART check Failed

Failure ID: GLMAKD-644685-QFPK0J-60DU03
PRODUCT ID: A5F76AV
I did start however and run otl
I am attaching the txt files. They are way too big to be paste ( >70K characters and only 10K allowed)

BTW still no internet connection

forgot the second one

When you try to connect what error do you get ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
[2012/09/16 20:40:28 | 000,000,000 | ---D | C] -- C:\Users\Armelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/16 20:27:06 | 000,076,288 | ---- | C] (CyberPower PC) -- C:\Users\Armelle\AppData\Local\osppuhxr.exe

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I will apply now.
I just had to reboot. Still the same message saying HDD faulure… click on enter and a checkdsk runs. he got several orphans sectors repaired

When I try to connect to the internet, Wifi, I got the message no network available. Running the network Diagnostics gives:Troubleshooting could not identify the problem.

here you are. Still the same message when I want to connect to the internet.
and also the message saying HDD failure at boot time (301) and invited me to use HP HDD test .

BTW when I got the desktop icons back’- I mean first time after bootscan…- the desktop picture and the gadgets were not coming back and are not yet. No problem but I though this may give you another hint.
Thanks for the help

extras file from OTL

Back up your data now as that error code is for an imminent hard disc failure. Is you computer still under warranty ?

Ok it is under warranty, it does have less than 3 months.
One question: can I make a disc image and copy it back when it is repaires or will this be dangerous due to the infection by file-recovery-software.
I was just wondering if it is a "real"harware failure or a message than can be linked to the trojan?
I will bak it up anyway and contact the manufacturer.
Thanks for the help

HDD failure at boot time (301) and invited me to use HP HDD test .
This is from the SMART software in your computer that monitors the hard drive.

You would probably be best to go for a fresh install and just copy back the data/photos/music etc…

the boot scan found some very old corrupted files, nothing new. The MawareBytes did not find any thing.
That is good news.
"I got the message Hard Disk SMART check Failed"
Just disable S.M.A.R.T. cheking in the bios. It is known feature that gives a lot of false error messages.
When I try to connect to the internet, Wifi, I got the message no network available
What happens if you connect your pc/laptop with a wire? Is that working?