Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified Virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Brandon_A

Brandon_A

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 02 May 2011 - 04:18 PM

Hello there. I work at a small cafe and we have one computer used for financial records, time wasting, etc. Within the past week it's been infected with something I can't identify. The only thing I can recall doing the last day it was acting normally was playing a game called QWOP in Firefox. The next day I came in, the desktop and all of the icons on it had been replaced with just a blank blue screen. The Start menu was still visible, but none of the installed programs were showing up, and no files of any kind were accessible.

We have two user accounts on the computer, User A which we have always used, and User B which has been on the computer since we got it (it's refurbished) but never used. User A is the one with the missing desktop. Upon logging in to User B, the desktop was visible and there were a few icons (Recycle Bin, IE, Windows Media Player), and our installed programs were visible. Our files however are still missing. The folders they were in are there, just empty.

I was able to install Malwarebytes and it found something like 10-12 infected files, mostly HKey stuff, and a few Trojans as well. I cleaned it all up and restarted, but the desktop of User A was still missing, as were all of our files in both User accounts. I've gone through the same motions a few times, scanning with MWB and finding infections, then restarting, and no change. And in both user accounts I'm getting random IE windows about unresponsive scripts, even when I haven't opened IE myself.


And that's about all of the relevant info I can think of. Thanks for looking and I'll try to respond quickly to any assistance given.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:00 PM

Posted 03 May 2011 - 06:18 AM

The symptoms you describe can be indicative of a side effect from the HDD Defrag family of rogues which changes file attributes to "hidden", making them appear invisible so the user thinks all of their files have been deleted.

See this example guide which includes removal instructions and using unhide.exe (Step 17), a tool which will remove the "hidden" attribute on all files. The tool is designed not to remove hidden attribute for system files. When done you will need to restore the hidden attributes to those files manually.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Brandon_A

Brandon_A
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 04 May 2011 - 10:26 AM

I've followed that tutorial a few times through, and it doesn't seem to be getting me anywhere. I've used all the versions of the rkill file; some don't run at all, some give me three separate "Installation Failed" messages and do nothing, and the others run, but don't kill anything. I then run MBAM, which finds nothing at all infected. And using unhide seems to work (it tells me I should now be able to see my files) but it doesn't appear to have any effect on any files, as they are all still hidden.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:00 PM

Posted 04 May 2011 - 11:33 AM

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.

Note: If you cannot create any logs, then still start a new topic, explain that you followed the Prep Guide but were unable to create the required logs. It would also be helpful if you include a description of what happened when you tried to create your logs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,010 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:00 PM

Posted 04 May 2011 - 10:40 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic395474.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users