Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus(?) that creates copies of every Word document


  • Please log in to reply
12 replies to this topic

#1 pyleofgracie

pyleofgracie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 22 July 2013 - 12:23 PM

Three years ago, I was browsing online when suddenly my computer shut down. I took it to the computers guy at my school, and after a few days he gave it back saying the virus was gone but so were all my files. I then asked my tech-savvy roommate to take a look at it, and she discovered that all my files were hidden. She un-hid them all and the problem seemed to be fixed. However, soon after that I started noticing that every time I created and saved a Word document, another one would appear on my desktop with a slightly altered title in which the symbols ~$ replace the first two letters of the original title. The new document would be sort of transparent, which is what my hidden files looked like before they were fixed. As soon as I close my original document, the new one disappears from my desktop. Nothing else appears to be wrong, and when I run Microsoft Security Essentials it says that everything is fine, but these documents continue to appear. I am getting a new computer soon and I would like to transfer my files without transferring the virus if at all possible. Thanks so much. For reference I am using Windows 7 and Microsoft Word 2007 on a Dell laptop.

 

 



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 24 July 2013 - 07:22 AM

:welcome:

 

:step1: Install and run MBAM

:step2:  Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================

 

:step3: ESET Online Scanner

==================

Note: If your AV is blocking Eset online scanner, please temporarily disable your AV.

 

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and » UNCHECK "Remove found threats" <== Important
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.

===================================================


Edited by GodfatherKing, 24 July 2013 - 07:23 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 pyleofgracie

pyleofgracie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 26 July 2013 - 02:51 AM

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.07.25.06

 

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Grace :: NIMBUS2000 [administrator]

 

7/25/2013 10:13:18 PM

mbam-log-2013-07-25 (22-13-18).txt

 

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 390571

Time elapsed: 1 hour(s), 30 minute(s), 29 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

===================================================

 

I am not sure how to access the root directory, but the TDSSKiller one said that nothing was found.

===================================================

 

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe     a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe  a variant of Win32/HiddenStart.A application

C:\Users\Grace\AppData\Roaming\Mozilla\Firefox\Profiles\aleur2yc.default\extensions\{06eb231f-4328-43b0-9392-740f0c2723a1}\chrome.manifest              Win32/TrojanDownloader.Tracur.F trojan

C:\Users\Grace\AppData\Roaming\Mozilla\Firefox\Profiles\aleur2yc.default\extensions\{f54557c9-7b81-4d4e-88b2-ecdf94b9b25c}\chrome.manifest             Win32/TrojanDownloader.Tracur.F trojan

C:\Users\Grace\Downloads\iLividSetup.exe       Win32/Toolbar.SearchSuite application

C:\Users\Grace\Downloads\oi_zipeg-setupexe.exe       a variant of Win32/OpenInstall application

 

Thanks for the help!



#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 26 July 2013 - 04:04 AM

:step1: You may remove the following files, just be deleting them and cleaning the recycle bin:

 

C:\Users\Grace\Downloads\iLividSetup.exe       Win32/Toolbar.SearchSuite application

C:\Users\Grace\Downloads\oi_zipeg-setupexe.exe       a variant of Win32/OpenInstall application

 

:step2: Some Firefox extensions look infected, the best you can do is remove the infected extension.If that doesn't work, you'll need to remove the profile:

 

     How to remove profile: https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles#w_removing-a-profile


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 pyleofgracie

pyleofgracie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 26 July 2013 - 01:22 PM

I have deleted those files, emptied the recyle bin, and removed the Firefox profile, but the weird documents are still appearing. What else can I try? Thanks.



#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 26 July 2013 - 01:42 PM

:step1: Upload one of these strange files on the site https://www.virustotal.com

 

:step2: Post the link from Virustotal (you will receive this link after uploading the document) website into your next reply.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#7 pyleofgracie

pyleofgracie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 27 July 2013 - 10:41 PM

https://www.virustotal.com/en/file/cd4fb5beefefbe57d92e7bfa1672f5e8e1c59456f73cf84979ac5c2a93c735c0/analysis/1374982651/

 

I had to first open the normal file (because the weird one disappears as soon as I close the normal one and doesn't show up when trying to upload), then drag and drop the weird one onto the page.



#8 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 28 July 2013 - 03:55 AM

I think the files you are seeing, are the backups that Word makes.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#9 pyleofgracie

pyleofgracie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 29 July 2013 - 12:06 AM

I chekced Word, and the "Always create backup copy" option is not checked. Does that change your opinion at all?



#10 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 29 July 2013 - 02:23 AM

You'll see this if the option in Explorer is checked: "Not hidding system files or hidden files" <== That's the reason, you can view these 

$ replace the first two letters of the original title <== Word does this

 

folder-options.jpg

 

http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#11 pyleofgracie

pyleofgracie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 29 July 2013 - 02:51 AM

Right now mine is set to show hidden files. Does that mean the weird files are fine, or no?



#12 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 29 July 2013 - 02:53 AM

Yes indeed, they are normally hidden, but do that option you can see them...  

 

Do a previous infection someone who tried to fix the infection has set these setting to "show hidden files,..."   These settings can make you parnoid...

 

:warrior: Safe surfing again. 


Edited by GodfatherKing, 29 July 2013 - 02:56 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#13 pyleofgracie

pyleofgracie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 29 July 2013 - 09:52 PM

Wonderful! Thanks for all your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users