Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nothing is accesible, everything is hidden MBam doesn't find anything


  • Please log in to reply
7 replies to this topic

#1 raf96

raf96

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:27 PM

Posted 31 March 2011 - 06:16 AM

well... subject line says it all right?
I have never heard about a virus that would behave in such way.
Drive is still half full so it didn't erase anything.

when you click START->all programs... it's empty
system restore says it's inaccessible
I'm dumbfounded ...

I'm trying to fix his system thru "teamviewer"

Guys... I need your help... it's my brother, and he will always blame ME for the little things like that.

Edited by hamluis, 31 March 2011 - 11:18 AM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 lkegley9

lkegley9

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 31 March 2011 - 10:01 AM

First of all, I would suggest running a virus scan unless you have already done so, to ensure its clean before you make the changes. Because if that virus is still there, it'll just do it to you again.

I had a laptop that came in to my place of business about a week ago. My solution was to go to Control Panel > Folder Options. And then find 'Show your hidden files and folders' and click it. Then everything should show up. My solution after that was to un-hide everything, which takes about a good 15-20 minutes depending on how many files you have. And then go back through the files and re-hide the Windows system files.

A few to list:
In your profile folder in C:\Users\, make sure Local Settings, NetHood, PrintHood, Application Data, etc, are re-hidden.
Also in the C:\Windows\ folder, all of the $NtUninstall$ folders need to be hidden.
And in C:\, MSOCache I think it is needs to be hidden.

And this was an XP machine, so it might vary a little bit for Vista. I did modify the C:\ profile path for Vista, but not exactly sure which individual folders inside of the profile need to be hidden.

And as a note, ComboFix did NOT solve this hidden issue. I checked my logs.

Also, if that doesn't solve your issue, make sure security settings on your C:\ isn't causing you to not be able to view it. That is also another possibility.

Edited by lkegley9, 31 March 2011 - 10:03 AM.


#3 raf96

raf96
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:27 PM

Posted 02 April 2011 - 09:32 AM

thank You for replying... The unhide option did work. It was some nasty virus, because not only it hid everything but changed some permissions, turned off system restore so I couldn't even do that. Thankfully I found a solution for the registry to re-enable system restore and I'm currently waiting for it to finish. I just hope I won't get a message "your system could not be rolled back..." or something like that, because to unhide all of those files manually is a pain.

Thanks again.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:27 AM

Posted 02 April 2011 - 09:40 AM

Appears you have an infection similar to this.. Remove Windows Recovery
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 raf96

raf96
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:27 PM

Posted 02 April 2011 - 08:49 PM

Yes it appears thats what it was but somehow I got rid of it, but whats still there is a search redirect and I can't get rid of that... mbam doesn't find it.... should I run combofix and post a log? I've read the "preparation page".

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:27 AM

Posted 02 April 2011 - 08:54 PM

Hello, see the blue text above this forum about ComboFix. If needed we will go there.

Instead run these and let me know.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

NOTE: There have been reported problems with FireFox not loading pages properly after running ATF to clean the Firefox cache and download history. The glitch occurs if you have Firefox opened to Bleepingcomputer or other web sites while clearing the Firefox cache with ATF Cleaner. Close FF before running ATF. If ATF was run while the browser was open and OP reports problems, have them use FF itself afterwards to clear the cache.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
Close all open browsers before using, especially FireFox. <-Important!!!
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

EDIT: please post your MBAM log also,thanks
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 02 April 2011 - 08:56 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 raf96

raf96
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:27 PM

Posted 03 April 2011 - 11:30 AM

So that fixed it... THANK YOU!
Now apparently I know the whole story. My brother doesn't speak English and venture onto some "suspicious" sit (I'm guessing porn :)) and he started getting some error messages... so since he didn't have any Antivirus installed he just installed some frre scanner that was popping up "esset" or something like that... anyways... most of is pictures and some other files were still hidden but I've run a unhide.exe and everything is back to normal.

So would you still like to see the log files for study or something?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:27 AM

Posted 03 April 2011 - 06:20 PM

The logs help me determine if the malware is gone or will require other tools,as some malware drop others. Post them and I let you know if we need more.

You do need an aV or you'll be reinfected in an hour, Porn sires are a ,alware guatantee.
Install one of these Free ones
Avira Antivir

Avast Free

From our list here L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users