Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

friend got something that removed everything or hid it???

Status
Not open for further replies.
DougP

DougP

MIS
Dec 13, 1999
5,985
0
36
US
Windows Xp Pro
When I log in there are no desktop icons, no folders in C: no programs, nothing in the start menu. The recycle bin is on the desktop. Even opening a command prompt doing dir shows nothing. Its not even like a new computer where you can see and do things this shows absolutely nothing anywhere?????
This is for both the Administrator account and hers.
But yet the computer runs so everything is there but just hidden or I don't know what?
After I copied malware bytes to the root of c it shows the .exe file. malware bytes won't run has no permission to do something.
Mic Secur Ess ran and found something I cleaned it but still nothing after a reboot.

but the Mic Secur Ess folder does not show after it installed. Crazy like nothing I have ever seen. The C drive has everything since it shows 1/2 full if you right click Properties. Also I managed to open Add Remove Programs and all of the programs are in there.
I ran msconfig and shut off everything at start up but still no go.
She said she got something that came up and wanted her to buy? Which she did not.
I looked at permissions in the folders and they ere shut off. all permissions were unchecked. rechecking them did nothing.

Any ideas? Beside reformat?


DougP
 
Sort by date Sort by votes
There are several malware variants that change the userprofile folder to hidden. This is fairly easy to change back, but more importantly (this is unclear from your description), has the malware been removed?

If the malware has been removed, you can use windows explorer to remove the hidden property. Open windows explorer and go to Tools, Folder Options, View tab and check to the box to show hidden files. Then navigate to the user profile folder (c:\documents and stettings\username), right-click on it and select properties. De-select the hidden checkbox.
 
Upvote 0 Downvote
Ok I can see all folders are hidden now, I am changing "Hidden" permisions, I unchecked the box and all subfolders.

I am not sure if the malware is gone or not.
MSE found one thing and cleaned it.
But what about eveything else? this is going to take a long time to change eveything in the entire computer?

I'll see if Malware bytes will run now.

DougP
 
Upvote 0 Downvote
When in doubt, save all the data to another storage device (external hard drive/flash drive) and reload windows from scratch.

If you want to continue down the "remove not reload" pathway, do the following.

Run the full MBAM scan.
Run TDSS killer
Remove your antivirus software and run Combofix.

If these don't fix your problem with malware, you're heading down a hard road unless you just don't want to do a reload and are very stubborn that you must win.
 
Upvote 0 Downvote
You may also have issues from relocated folders.

There is an executable, unhide.exe , that may help you. Available from the web.





Ed Fair
Give the wrong symptoms, get the wrong solutions.
 
Upvote 0 Downvote
now if the files are hidden (attribute H) then the files would not show, I am not sure if under BartPE if the option to show all hidden files is enabled by default, and to show hidden files (unhide them) you could use the following from a DOS CMD line:

dir X: /ah (to see all hidden files and directories)
attrib -h X:\*.* (to unhide ALL files and directories)

for drive X (change this to whichever drive letter that the drive is showing under your RECOVERY system)...
Click to expand...
thread760-1661911

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
I decided to reformat. Its an HP and required disks. the machine is XP so its old anyway. There is too much to do by hand. It is hard to belive that you cannot do anything normal becasue you cannot see anything at all whatsoever. you can't see the files or programs or desktop icons or task manager button is grayed out. It is hard to understand I know. in 20 years in IT, I have never seen anything like it. the only program that is there when I log in as the user is some kind of registry cleaner with the name "blue" in it. So I suspect it went in the registry and did the harm since she did not want to buy it.

DougP
 
Upvote 0 Downvote
Probably UniBlue - I've seen that before. Probably not a major concern and it could be uninstalled. That's not the smoking gun.


Whenever I see someone that has this and I ask how they got it, they all say they never installed it themselves, so it likely sneaks on as part of another software install.
 
Upvote 0 Downvote
UniBlue is a ligit product. She may have gotten a hacked version of it somewhere.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
Upvote 0 Downvote
sry, to say this, but this is probably due to a drive-by install of some version of XP Antivirus or one of it's 1000 incarnations...

I had to deal with one just like it, and cleaning took close to an hour and a half, mainly due to me not knowing how to unhide and get rid of one baddy that was installed under the DEFAULT or All Users account...

and just like Goom said, it is not a major issue, once you know what and where to look...

DougP though a bit drastic, it probably was the safest way to handle it... ;-)

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Thank you for everyone's input, I did a parallel install of Windows to keep all the old stuff intact. I had to reinstall drivers and software but files remain intact and drivers were there from one other redo so that was easy enough.

DougP
 
Upvote 0 Downvote
FYI: for others that get this same thing. it must be going around but mine is a worse re-incarnation since everything was hidden.
this thread has some good info. I did not do any of it since I just re-installed.
thread760-1647910

DougP
 
Upvote 0 Downvote
I had a client with this, it was a virus. It was a bootstrap virus that would recreate itself from a rewritten winlogon.exe.(ursnif.a) I originally managed to clean the system and show the drives etc but the virus recreated itself on rebooting. Ended up taking the files I needed to rebuild the system and re-imaged with bartPE from a clean image.

 
Upvote 0 Downvote
I installed a paraleel copy of windows, she took computer home then said she got Security spoof Virus 2 days later? !!@#$@$@$@

So I am doing a reformating of it all.


DougP
 
Upvote 0 Downvote
Install Microsoft Security Essentials, run all updates etc, that purely from the point of knowing what it was. Reimaging / reinstalling clean is your only option. You have what is called a bootstrap virus. The best virus will not be located in the /MBR, but through reingineered DLLs and exes that are initialized on boot up.

Rebuilding has always been your only option.
 
Upvote 0 Downvote
what became of the first "I decided to reformat."? (posted on the 15 Dec 11}

and @ DrZogg, he already has done both (see above) the reformat and (see first post) "Mic Secur Ess ran and found something I cleaned it but still nothing after a reboot."


but the PROBLEM still persists, the "she" in "she took computer home then said she got Security spoof Virus 2 days later? !!@#$@$@$@"...

and there is only one way really to deal with that, educate educate EDUCATE... and it does not hurt having Ad-Blockers and for FireFox having NoScript installed... and have "her" surf with a NON-ADMIN user profile...

PS: the post was done for me when DoupP wrote: "I decided to reformat."... as that took care of everything...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Charge for your time. As soon as there is a cost involved, they learn really quick
 
Upvote 0 Downvote
Thanks again for all input.
This machine had or got two different things. First it had hidden everything. So I "thought" I would leave the documents intact and Parallel install Windows. Maybe a huge mistake.
I installed both Microsoft security essentials and Malware bytes after I installed the Parallel copy of Windows XP Pro.
The second thing got by MSE. yesterday after she said she got it again. Meaning she thought she had the same thing. I while sitting front of the computer saw MSE said it found one thing and was getting rid of it and to reboot. So I did. but the spoof came back up after reboot. again MSE popped up and said it found it again. When this virus or whatever it is is running you cannot do certain things ( I don't recall and can't find out because I left the machine over night reformatting its drive on new install. I deleted all partitions and reformatted full NTFS.

The second thing was the Security Spoof where a program loads and runs on boot up finding supposed viruses. there are tow screen one on top of the other and it looks very professional. I had this one before by a co-worker who got it twice within two weeks and I knew it was a total reformat time. Theirs was an XP security spoof.
I also know that the co-worker's desktop PC is still setting in my office with its hard drive out on top of it. I had to give co-worker a new computer running win 7 pro. I am afraid this spoof might destroy the hard drive.
Are these two things friend got related???? not sure.
So I am reformatting the friends laptop. friend has another computer now to use with Vista on it.

Thanks again.

DougP
 
Upvote 0 Downvote
As far as charging them money. I have thought about re-opening my PC support business. Or should I say advertising it more. friends give me gifts and other stuff, above included.

Although I loathe the viruses/malware and those who make them. I should use that as an opportunity.

DougP
 
Upvote 0 Downvote
Although I loathe the viruses/malware and those who make them. I should use that as an opportunity.
Click to expand...

Yeah, an IT person met a "girl" because of a virus. This sounds promising.

The only way the two would be related would be if there was a trojan downloader installed by the first malware that brought you the second fake malware program as a gift.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
58
SamBones
SamBones
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
94
DrB0b
DrB0b
jlockley
  • Locked
  • Question
Virus? (posted in Windows, but perhaps it belongs here)
Replies
3
Views
70
jlockley
jlockley
mscallisto
  • Locked
  • Question
Where did I catch that stinking virus?? 4
Replies
15
Views
94
Sympology
Sympology
OsakaWebbie
  • Locked
  • Question
PHP file found on flash drive - how could it have been used? 1
Replies
12
Views
94
OsakaWebbie
OsakaWebbie

Part and Inventory Search

Sponsor

Back
Top