PDA

View Full Version : Malware Experts



SolMiester
23-06-2011, 04:00 PM
Have cleaned out a fake alert trojan, however I cant see any of the users documents, even though a properties dialog box of the folder states 52GB of files?...
Anyone seen this before?....doing a backup, which appears to see and backup files, but ummm yeah....

SolMiester
23-06-2011, 04:07 PM
Hmmm, okay, found this.............

4) when you computer restarts don’t be dismayed to find that your files and desktop are still missing. That’s because this Windows Recovery malware “hides” your original files as part of its nastiness.

5) now go and download Trojan-Killer’s free “unhider” here: trojan-killer.net/how-to-restore-missing-files-and-folders-after-virus-attack/#more-2706 or directly here: trojan-killer.net/download/unhider.exe

6) double-click the downloaded file to run it and wait as it “unhides” all your files and folders on your computer. It takes about 10 minutes to complete (with no progress indicator), but you’ll see your desktop icons slowly reappear, though your original desktop background image will probably still be missing and some files still may not be accessible.

CYaBro
23-06-2011, 04:14 PM
Yea seeing this more and more now.
There are few tools available that will do what you want, as you found. :D

Iantech
23-06-2011, 04:27 PM
Sounds like a real nasty, one that I havent struck yet thank goodness. I think if it was me I try and make a backup of user files and data etc, format it and do a fresh install.

Good luck with that one.

wainuitech
23-06-2011, 04:30 PM
If its the same infection I've seen a lot of, For XP go to C:\Documents and settings\Username\Local Settings\temp\smtmp

Inside the smtmp folder will be three other folders, 1,2 & 4

All your data, documents and all program shortcuts, links etc will be in there.

The infection really screws with the folder layout, so normally I simply clone the drive to save the data, reinstall.

Haven't actually seen it yet in Vista or W7

1101
23-06-2011, 04:47 PM
yep, seen this a few times. Some of the new malware changes the attributes of many files

try changing settings in
my computor/tools/folder options/veiw/
click show hidden files.. , untick protected operating files

if that enables you to see them,
cmd prompt
cd\
attrib -h /s /d

Later variation on this malware also removes shortcuts/program links

SolMiester
23-06-2011, 04:57 PM
Yeah, W7 Pro.....bloody nuisance!...I can see most of the file, trouble is the start menu has lost a lot of the shortcuts...!!!!

wainuitech
23-06-2011, 05:15 PM
Same infection -- First W7 :)

So far I've come across about a dozen PC's with the infection, as pointed out in your post #2 - number 6 list "and some files still may not be accessible. "

It really screws the system files. Removing the infection is easy,sometimes fixing the damage is not.

Try looking in the (and its a guess - show hidden folders) C:\users\username\appdata\local\Temp\ Look if the smtmp folder is there.

Or even do a search for it start/ smtmp

Some say you simply move the shortcuts back to their original path and all will work again -- So far tried it on two PC's -- :crying

pctek
23-06-2011, 08:02 PM
Repair install - then, if still dodgy reinstall.

wainuitech
23-06-2011, 08:24 PM
Repair install - then, if still dodgy reinstall. If its the same bug that I have had, a repair install doesn't work (tried it in XP) - the missing icons/shortcuts & folders are still missing in action.:mad: Its a "nasty piece of work"

Speedy Gonzales
23-06-2011, 08:40 PM
If its 32 bit, run trojan remover scan then select all options under the utils menu

wainuitech
23-06-2011, 09:05 PM
Malware bytes normally gets the infection out, thats not the problem, its the damage it does that really screws things up.

From the XP ones I have done, it drops a couple of random named exe and other files files in the C:\Documents and Settings\UserName\Local Settings\Temp folder.

Greven
23-06-2011, 10:22 PM
Combofix now restores your start menu shortcuts after removing the infection. First time I encountered it, I unhid the user folder but didn't notice the missing start menu shortcuts until after I had run ccleaner.

wainuitech
23-06-2011, 11:00 PM
That must have been since last Saturday (combofix) - that was when I did the last one, and while combo fix removed several infections the start menu was still toast.

The PC in question had 4 users accounts, each users start menu was in a different state of "disaster", ranging from completely blank to half there but not working :)

pctek
24-06-2011, 07:44 AM
If its the same bug that I have had, a repair install doesn't work (tried it in XP)

Did for me. XP.

wainuitech
24-06-2011, 09:53 AM
Did for me. XP. How many user accounts ??

The one I tried it on had four user accounts, and it didn't change any of them. Thats why I tried the repair install, LOTS of data between four accounts :waughh:

Agent_24
25-06-2011, 12:49 PM
Sounds like a bastard. Luckily I have not encountered this one (yet)

Billy T
25-06-2011, 05:21 PM
Any ideas on how this one is getting picked up? Is it email attachments, image file payload, web-link or what?

It would be nice to know what to watch out for, especially since i picked up a similar nasty a while back and still have no idea how it got in.

I am usually super cautious, but clearly that is not going to help if the infection is by other than the commonly known and avoidable sources.

Cheers

Billy 8-{)

wainuitech
25-06-2011, 05:36 PM
Most of the time, these infections are installed by whats known as a Drive By Download (http://en.wikipedia.org/wiki/Drive-by_download) number 2 & 3 in that link explain it better.

Speedy Gonzales
25-06-2011, 05:51 PM
It may also happen if you dont keep windows up to date

Greven
25-06-2011, 08:47 PM
90% of fake anti-virus infections I see either have porn sites in their browser history, or a p2p program running at startup & infected music/video files in the download directory. Occasionally I see people get infected by scam emails (links more often than attachments) & sometimes there is no apparent cause.

Some people go to great lengths to install the malware because they think it is legit.