1530 Infected Files - System Restore?

[outbenchthis]

Hi,

I have had success on this forum with a previous problem with a virus after some excellent assistance from Sarahw so I thought I would post here again as this current problem may be related.

My computer was running slow so I decided to do a Malwarebytes Anti-malware scan which found 1530 infected files (deleted and quarantined). I thought this was an exceptionally high number of infected files (I can post the log from the Mbam scan if you'd like).

Below is the log from the Hijackthis log. After my system was cleaned up the first time a month ago from really good advice (sarahw), should I have then performed a System Restore? This was suggested to me at the Malwarebytes Security Forums.

I think the reason the System Restore was suggested was because the MBam log returned the following entry 1530 times with a different .dll

C:\System Volume Information\_restore{025B975B-FBD3-4DE0-899E-8E330F2E4991}

Should I therefore disable and enable System Restore? Is there a risk to the system or my files in doing this as I have never done this before?

Thanks for your assistance,

-----------------Hijackthis log---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:53:54, on 30/09/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\USB Storage RW\shwicon.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exe

C:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exe

C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe

C:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXE

C:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?

O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 6273 bytes

[sarahw]

I thought I recognised your name

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

[sarahw]

Hi,

Launch Malwarebytes' Anti-Malware.

Click the Logs tab.

Double-click log-mm.dd.yyyy [xxxxxx].txt. (the date of the scan)

In your next reply post the Malwarebytes' Anti-Malware log.

[outbenchthis]

Hi Sarahw,

thanks for the reply, I have attached the log from Malwarebytes as an attachment as it is too large to fit in a post.

this is the file name: mbam-log-2008-09-30(19-06-09).txt

thanks

mbam_log_2008_09_30__19_06_09_.txt

[sarahw]

1.

Your System Restore Cache will now be corrupted!

Turning off system Restore will delete all old restore points. Turning it back on will create a new fresh one that is safe to work from in the future.

Right click My Computer and select Properties.

Select the System Restore Tab.

Place a tick next to Turn off System Restore

Click Apply.

Unselect Turn off System Restore.

Click Apply.

2.

Click Start, Programs, Accesories, System Tools, then open Disk Cleanup.

Follow the prompts.

3.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).

Click Scan.

When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad.

Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.

Click the Logs tab.

Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

[outbenchthis]

Hi Sarahw

sorry for the late reply. I have spoken with a friend and he has said that there is a risk of losing files when you do a System Restore. I am concerned that I could lose some or all of my files (.docs as well as emails as I use Microsoft outlook) is there a way i could address this problem?

My friend said that in theory it will only restore system files and not personal files but actually you could risk losing personal files in the process. I have been informed that saving work in My Documents may be a way of protecting against that risk, is this the case? Is there a more effective way of insuring against this risk?

As I am not to familiar with the process I am concerned with the risk of losing files, is there something I could do instead of performing a System Restore that would resolve my problems?

I appreciate your assistance

thanks

[sarahw]

Hi,

You will not loose personal Files when you do a System Restore. If you do, you;d be the first.

BUT

I'm not asking you to restore your computer to an earlier date....

Your System Restore cache is corrupted, so you will not be able to restore it! Malware Hides in there and when its removed it's no longer usable.

You need to turn it off, then back on. This will delete old Restore Points, then create a new one. This new Restore Point will be clean of Malware if you have a techical problem in the future you can restore your system files to the current settings.

Follow the last 3 instructions and post a log when ready.