Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restore Files After Virus Attack


  • Please log in to reply
34 replies to this topic

#1 Mik3y

Mik3y

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 16 November 2012 - 12:38 AM



Initial Problem: Facebook alerted me via facebook.com/checkpoint I had some type of virus and prompted use THEIR spyware removal software "McAfee"

My resolution: I chose to download Malwarebytes. Had trouble starting the program. When I clicked on it nothing happened. When I right-clicked on teh program to "Run As Administrator" again nothing happened. After getting frustrated I research on the net how to run in command prompt and I renamed the excutable from "mbam.exe" to "bmab.exe" and was able to run the file. Malwarebytes located the culprit to be 'funmoods' It asked to do a restart.

Current Problem: Upon restart, I had a number of command prompt windows load up .. around 30 or so. While it seemed like Windows had loaded I went on to try to start Google Chrome and another command prompt opened up. I tried using ATTRIB -H *.* /S /D The command ran with access denied. I then tried ATTRIB -S -H *.* /S /D Nothing happened. After calling a friend to google this issue, it appears the virus may have hidden my files and folders. I cannot use/start any program without the command prompt popping up. I tried to download unhider.exe via 'Computer' window and using the url field and a browser does up. When I download the file, it saved to some location (I'm guessing downloads folder), then prompts me to RUN the file. When I click RUN.. another command prompt window comes up with the following C:\Users\Mike\Downloads>

How do I get my files back? Thanks in advance for your patience and understanding. I'm sure frustrated :angry: .


*Moderator Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Queen-Evie*

Edited by Queen-Evie, 16 November 2012 - 09:13 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 16 November 2012 - 08:22 AM

Boot into safemode with networking

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 November 2012 - 03:29 PM

Thanks narenxp for you quick reply.

I rebooted in safe mode with networking. I downloaded the link and clicked run and a command prompt box popped up. I am unsure how to run TDSSkiller through Command Prompt window. I apologize in advance I am a novice.


Image below:
http://imageshack.us/photo/my-images/441/img20121118151345144.jpg/

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 18 November 2012 - 03:34 PM

Can you try a different browser to download the file?

#5 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 November 2012 - 03:58 PM

I can only access the internet by going to Computer (aka My Computer) and typing an address in the field where Computer is at the top and then google chrome windows comes up and navigates to the page. I'm using the screenshots to help you better assist me.

Image below:

http://imageshack.us/photo/my-images/211/img20121118155531529.jpg/

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 18 November 2012 - 04:03 PM

Now i can understand the exact issue.I guess every application opens a command prompt window

Copy the file from a clean PC to the infected PC using a flash drive

Download

LNK fix

Launch the file and click YES

Restart the PC and let me know if you're still receiving command prompt errors

#7 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 November 2012 - 04:44 PM

Correct! Every application opens in command prompt window. I used your instructions. I tried it 2 ways .. 1) copying it from a flash drive and launching it from the flash drive and 2) downloading it directly from the link. After both restarts, I'm still receiving the command prompt windows.

See below:

http://imageshack.us/photo/my-images/690/img20121118163404927.jpg/

http://imageshack.us/photo/my-images/820/img20121118163614869.jpg/

Edited by Mik3y, 18 November 2012 - 04:44 PM.


#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 18 November 2012 - 04:47 PM

When command prompt pops up,type this command

assoc.lnk=lnkfile

Press <Enter> key and restart,any change?

#9 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 November 2012 - 07:01 PM

There was no change after restart.

Image below:

http://imageshack.us/photo/my-images/26/img20121118171633056.jpg/

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 18 November 2012 - 07:05 PM

Restart the PC

Press F8 on bootup

Select REPAIR YOUR COMPUTER

Click on REPAIR

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Can you get to this screen?

If yes, select system restore and try restoring to previous point

Edited by narenxp, 18 November 2012 - 07:05 PM.


#11 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 November 2012 - 12:40 AM

I tried the restore point. I received the following error before restarting back to the current point. "0x8000ffff" error message when you try to restore a Windows 7-based computer by using System Restore

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 19 November 2012 - 08:31 AM

When command prompt pops up run these commands

net user test /add
net localgroup administrators test /add


After command completes,restart the PC.A new account called TEST should be created.Let me know if you can launch applications in test account.

Edited by narenxp, 19 November 2012 - 08:32 AM.


#13 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 November 2012 - 08:02 PM

Yes, that worked and I can launch applications in test account.

See below:

http://imageshack.us/photo/my-images/837/img20121119195550877.jpg/

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:34 AM

Posted 19 November 2012 - 09:03 PM

Try to launch the registry fix in the new account.If you receive any errors while launching it let me know.Reboot the PC into corrupted account and see if that helps.

#15 Mik3y

Mik3y
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 November 2012 - 10:19 PM

are you referring to the LNK link? Which registry fix should I run?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users