Removal help: pum.hijack.drives pum.hijack.taskmanager trojan.spyeyes etc

Hi all

Got hit by a flyby yesterday evening - dropped the following onto one xp pro box:
Tojan.FakeAlert (9)
PUM.Hijack.DisplayProperties (1)
PUM.Hijack.Drives (1)
PUM.Hijack.TaskManager (2)
Trojan.SpyEyes (4)
Rogue.FakeHDD (1)
Trojan.Dropper (1)

Usual pop ups alerted the problem so pulled the network connection and ran malwarebytes
Removed the above in 2 passes but left with crippled box:

Boots ok into user account but many desktop icons gone, User settings not visible in w/explorer, raid1 array appears empty as does additional hdd.

Running BartPE from cd shows no apparent data loss on any drives and user settings still there on system drive so need guidance how to set about restoring the non viewable items

System now appears clean but will happily run further diagnostics before reconnecting to network. Have used combofix before and have clean internet access to download anything. Other machine on network at attack time not affected.

Obviously want to get this resolved so max points for speedy advice

Thanks

Christopher
chrisatworkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris WalshSoftware DeveloperCommented:
Have you tried booting into the recovery console to see if you can access disk contents from there?

What are you asking for here?  How to reaccess your files / get windows explorer working correctly again?

Are you trying to get data out before doing a fresh format and reinstall / ghost restore?  (That is what I would recommend)


0
rpggamergirlCommented:
If you scanned with ComboFix can you post the log?
Did you update MalwareBytes before the scan?

You can also run RogueKiller and run mode 2, then mode 6 to restore desktop icons and remove hidden flags on folder/files.

There's an article on RogueKiller:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
0
chrisatworkAuthor Commented:
Hi both
BloodBaz:  No haven't used recovery console yet, wanted to make sure infection was cleared before proceeding.

rpgamergirl: long time since we had any dialogue - nice to hear from you.  Didn't run combofix yet so have no log.  Will try RogueKiller - haven't heard of that before.  Will report back on that.

Thanks
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Le_RoccaCommented:
Try this ,

Boot computer up press F8 go to windows safe mode with network acces.

Download hitman pro :

http://www.surfright.nl/nl/downloads/

Then scan your computer , it will remove all the spyware.

Reboot computer and see if its off.
0
rpggamergirlCommented:
Yeah, I was gone for many months... nice to see you, :)

This infection belongs to this rogue family or one of its clones.
If RogueKiller can't remove the hidden flags, just download the "unhide.exe" shown in this tutorial(Windows Diagnostic removal)., scroll down the page.
http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic


Unhide.exe
http://download.bleepingcomputer.com/grinler/unhide.exe
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chrisatworkAuthor Commented:
Thanks rpgamergirl, you have once again resolved my problem!  RogueKiller restored all but 9 of around 150000 items and Unhide got those.

Thanks also to others for responding.

Christopher
0
rpggamergirlCommented:
You're welcome, glad to know it's resolved.

Thanks for using Experts-Exchange!
0
TigzyCommented:
Hello

Do you still have the Roguekiller reports?
0
chrisatworkAuthor Commented:
Tigzy

Yes I have the quarantine report for the event, do you want to see it?
0
TigzyCommented:
Not the quarantine reprt, but the report called like RKReport[numer].txt
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.