Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files Deleted/renamed By Virus


  • Please log in to reply
4 replies to this topic

#1 ufichina

ufichina

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 05 June 2006 - 09:08 AM

Sure hope someone can help. In order to try to keep his computer virus free, my husband doesn't have his main home office computer even hooked up to the internet. SOoooo, we didn't have any ant-virus software running on it - BIG mistake! Recently an office associate recently gave him some files on a USB pen, which apparently contained a virus. He began constantly getting a DOS window, and the batch file it ran was making a list of all the ".doc" files on his C: drive and all subdirectories, then writing their names to another file. I finally got on AVGs website and figured out how to manually download updated virus definitions and install them to his non-internet enabled PC. It found a virus, but only labeled it as "Generic Trojan Horse :NTX". It did get rid of the virus, and we thought the problem was ended. He does keep all his most important files on a different drive, so we didn't notice anything until a few days later when he realized that ALL of his other .doc files on his C: drive were GONE! Poking around the computer, I think I "found" all the files. They are in a strange C:\WINDOWS subdirectory, and all now are .bat files rather than .doc files. I tried to rename some of them, but to no avail. The dates and file sizes are similar to what we would expect if they were the original .doc files.

Can anyone tell me what to do to recover these file?

Thanks!

BC AdBot (Login to Remove)

 


#2 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:04:15 AM

Posted 05 June 2006 - 10:15 AM

When you run the .bat files what happens?

Edited by Elendil, 05 June 2006 - 10:15 AM.

Stanford '14
B.S. Candidate | Computer Science

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:15 AM

Posted 05 June 2006 - 10:50 AM

Not a good idea to be running unknown .bat files even if they look similar. When you renamed the files did you also rename the .bat extension to .doc or .txt?

By no avail, do you mean the file names changed back, you could not open them or you could not read them once opened? What is the name of the Windows subdirectory that was created and does it contain anything besides these .bat files?

Further, since this computer did not have any anti-virus/anti-spyware protection, you should do a few more scans to see if anything else is present that AVG missed.

If your running Win XP/2000, download and scan with Ewido Anti-Malware v3.5
Ewido Install and Scan Instructions

Download and scan with Ad-Aware SE Personal. Setup & Configure as shown here.

Download and scan with Spybot S&D 1.4. Setup & Configure as shown here.
[DO NOT choose the option to install TeaTimer]
Note: If you encounter any error messages while downloading the updates, manually download them from here.

Then perform at least one of these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan
Panda ActiveScan [ActiveScan Panda does not remove adware/spyware but will autoclean for viruses & worms.]

Edited by quietman7, 05 June 2006 - 10:52 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 ufichina

ufichina
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 10 June 2006 - 09:39 AM

Thank you for your questions! I've been slow in posting because it's hard to get a hold of my husband's computer when he's not on it!

I have run Spybot, Ewido and Ad-aware. I did not run the other virus scans because they are online scans, and he is not connected to the internet.

They all told me I have Cydoor on the system, which is true, as we are running an ad-ware version of Vocabury Wizard, and nifty Vocabulary program, which I have been running on my own notebook for several years with no problems.

Spybot and Ad-aware found "Alexa" spyware, so I followed instructions to delete that.

The files which look like the original files are now found in C:\windows\wj\ subdirectory. They all have .bat extensions. I did try to copy several of the files and rename them to .doc files. Was not able to open them with Word or Notepad. After renaming them, AVG kept popping up with the "Virus Found" menu, giving the name of the files I had just renamed, and saying that they had a "hidden extension - .com". The menu gave the new name of the file, followed by .doc.com. AVG could not heal the files nor move them into quarqtine.

Any help would be immensely appreciated!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:15 AM

Posted 10 June 2006 - 10:52 AM

Its time to have a deeper look as to what's going on with your system by creating a hijackthis log. This will help us to identify and remove the malware files responsible for your problems.

I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, delete files and other items on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted and can complicate the malware removal process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users