Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

friend got something that removed everything or hid it???

Status
Not open for further replies.

DougP

MIS
Dec 13, 1999
5,985
US
Windows Xp Pro
When I log in there are no desktop icons, no folders in C: no programs, nothing in the start menu. The recycle bin is on the desktop. Even opening a command prompt doing dir shows nothing. Its not even like a new computer where you can see and do things this shows absolutely nothing anywhere?????
This is for both the Administrator account and hers.
But yet the computer runs so everything is there but just hidden or I don't know what?
After I copied malware bytes to the root of c it shows the .exe file. malware bytes won't run has no permission to do something.
Mic Secur Ess ran and found something I cleaned it but still nothing after a reboot.

but the Mic Secur Ess folder does not show after it installed. Crazy like nothing I have ever seen. The C drive has everything since it shows 1/2 full if you right click Properties. Also I managed to open Add Remove Programs and all of the programs are in there.
I ran msconfig and shut off everything at start up but still no go.
She said she got something that came up and wanted her to buy? Which she did not.
I looked at permissions in the folders and they ere shut off. all permissions were unchecked. rechecking them did nothing.

Any ideas? Beside reformat?


DougP
 
There are several malware variants that change the userprofile folder to hidden. This is fairly easy to change back, but more importantly (this is unclear from your description), has the malware been removed?

If the malware has been removed, you can use windows explorer to remove the hidden property. Open windows explorer and go to Tools, Folder Options, View tab and check to the box to show hidden files. Then navigate to the user profile folder (c:\documents and stettings\username), right-click on it and select properties. De-select the hidden checkbox.
 
Ok I can see all folders are hidden now, I am changing "Hidden" permisions, I unchecked the box and all subfolders.

I am not sure if the malware is gone or not.
MSE found one thing and cleaned it.
But what about eveything else? this is going to take a long time to change eveything in the entire computer?

I'll see if Malware bytes will run now.

DougP
 
When in doubt, save all the data to another storage device (external hard drive/flash drive) and reload windows from scratch.

If you want to continue down the "remove not reload" pathway, do the following.

Run the full MBAM scan.
Run TDSS killer
Remove your antivirus software and run Combofix.

If these don't fix your problem with malware, you're heading down a hard road unless you just don't want to do a reload and are very stubborn that you must win.
 
You may also have issues from relocated folders.

There is an executable, unhide.exe , that may help you. Available from the web.





Ed Fair
Give the wrong symptoms, get the wrong solutions.
 
now if the files are hidden (attribute H) then the files would not show, I am not sure if under BartPE if the option to show all hidden files is enabled by default, and to show hidden files (unhide them) you could use the following from a DOS CMD line:

dir X: /ah (to see all hidden files and directories)
attrib -h X:\*.* (to unhide ALL files and directories)

for drive X (change this to whichever drive letter that the drive is showing under your RECOVERY system)...
thread760-1661911

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
I decided to reformat. Its an HP and required disks. the machine is XP so its old anyway. There is too much to do by hand. It is hard to belive that you cannot do anything normal becasue you cannot see anything at all whatsoever. you can't see the files or programs or desktop icons or task manager button is grayed out. It is hard to understand I know. in 20 years in IT, I have never seen anything like it. the only program that is there when I log in as the user is some kind of registry cleaner with the name "blue" in it. So I suspect it went in the registry and did the harm since she did not want to buy it.

DougP
 
Probably UniBlue - I've seen that before. Probably not a major concern and it could be uninstalled. That's not the smoking gun.


Whenever I see someone that has this and I ask how they got it, they all say they never installed it themselves, so it likely sneaks on as part of another software install.
 
UniBlue is a ligit product. She may have gotten a hacked version of it somewhere.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
sry, to say this, but this is probably due to a drive-by install of some version of XP Antivirus or one of it's 1000 incarnations...

I had to deal with one just like it, and cleaning took close to an hour and a half, mainly due to me not knowing how to unhide and get rid of one baddy that was installed under the DEFAULT or All Users account...

and just like Goom said, it is not a major issue, once you know what and where to look...

DougP though a bit drastic, it probably was the safest way to handle it... ;-)

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Thank you for everyone's input, I did a parallel install of Windows to keep all the old stuff intact. I had to reinstall drivers and software but files remain intact and drivers were there from one other redo so that was easy enough.

DougP
 
FYI: for others that get this same thing. it must be going around but mine is a worse re-incarnation since everything was hidden.
this thread has some good info. I did not do any of it since I just re-installed.
thread760-1647910

DougP
 
I had a client with this, it was a virus. It was a bootstrap virus that would recreate itself from a rewritten winlogon.exe.(ursnif.a) I originally managed to clean the system and show the drives etc but the virus recreated itself on rebooting. Ended up taking the files I needed to rebuild the system and re-imaged with bartPE from a clean image.

 
I installed a paraleel copy of windows, she took computer home then said she got Security spoof Virus 2 days later? !!@#$@$@$@

So I am doing a reformating of it all.


DougP
 
Install Microsoft Security Essentials, run all updates etc, that purely from the point of knowing what it was. Reimaging / reinstalling clean is your only option. You have what is called a bootstrap virus. The best virus will not be located in the /MBR, but through reingineered DLLs and exes that are initialized on boot up.

Rebuilding has always been your only option.
 
what became of the first "I decided to reformat."? (posted on the 15 Dec 11}

and @ DrZogg, he already has done both (see above) the reformat and (see first post) "Mic Secur Ess ran and found something I cleaned it but still nothing after a reboot."


but the PROBLEM still persists, the "she" in "she took computer home then said she got Security spoof Virus 2 days later? !!@#$@$@$@"...

and there is only one way really to deal with that, educate educate EDUCATE... and it does not hurt having Ad-Blockers and for FireFox having NoScript installed... and have "her" surf with a NON-ADMIN user profile...

PS: the post was done for me when DoupP wrote: "I decided to reformat."... as that took care of everything...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Charge for your time. As soon as there is a cost involved, they learn really quick
 
Thanks again for all input.
This machine had or got two different things. First it had hidden everything. So I "thought" I would leave the documents intact and Parallel install Windows. Maybe a huge mistake.
I installed both Microsoft security essentials and Malware bytes after I installed the Parallel copy of Windows XP Pro.
The second thing got by MSE. yesterday after she said she got it again. Meaning she thought she had the same thing. I while sitting front of the computer saw MSE said it found one thing and was getting rid of it and to reboot. So I did. but the spoof came back up after reboot. again MSE popped up and said it found it again. When this virus or whatever it is is running you cannot do certain things ( I don't recall and can't find out because I left the machine over night reformatting its drive on new install. I deleted all partitions and reformatted full NTFS.

The second thing was the Security Spoof where a program loads and runs on boot up finding supposed viruses. there are tow screen one on top of the other and it looks very professional. I had this one before by a co-worker who got it twice within two weeks and I knew it was a total reformat time. Theirs was an XP security spoof.
I also know that the co-worker's desktop PC is still setting in my office with its hard drive out on top of it. I had to give co-worker a new computer running win 7 pro. I am afraid this spoof might destroy the hard drive.
Are these two things friend got related???? not sure.
So I am reformatting the friends laptop. friend has another computer now to use with Vista on it.

Thanks again.

DougP
 
As far as charging them money. I have thought about re-opening my PC support business. Or should I say advertising it more. friends give me gifts and other stuff, above included.

Although I loathe the viruses/malware and those who make them. I should use that as an opportunity.

DougP
 
Although I loathe the viruses/malware and those who make them. I should use that as an opportunity.

Yeah, an IT person met a "girl" because of a virus. This sounds promising.

The only way the two would be related would be if there was a trojan downloader installed by the first malware that brought you the second fake malware program as a gift.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top