Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus hiding C: drive , how do i clean? 4

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
GB
Hi,

I have a user who's laptop got infected with a fake disk recovery virus program and is hiding the C:drive.

As it is the media centre version of XP there is no 'repair' install option, so i have installed a new copy of XP Pro onto the D: drive.

However, even this new version of XP is unable to see the C: drive?

What has this virus done that is stopping dos dir commands and windows explorer from seeing the data on the drive?

Sony support claimed the drive had been wiped , but it hasn't, as the damaged XP MC install boots.

I have also tried to scan the C: drive from the new D: drive XP install using malwarebytes anti-malware, but so far it hasn't found anything, though it could see the c: drive files to scan.

All we want to do is get access to the 'documents and settings' folder and a few app folders to get the user data off the c: drive, we are then more than happy to wipe the C:drive.

What can I use that will have the ability to see the data on the hard drive, or how do i remove what ever this virus has done?

Thanks,
1DMF.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Sort by date Sort by votes
What happens if you boot from something like AVG Rescue Disk, CAINE Live CD, or Dr. Web CureIt CD? These will by pass the OS and look directly at the hardware. If these don't see it, then I would suspect the BIOS or a hardware problem.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
what happens when you show HIDDEN and SYSTEMFILES in the folder options?

I had a case where a malware tripped every file's HIDE attribute, basically showing blank when opening the C:\ drive... Here you either go to every file and change its attribute back, or use a command, like attrib -h C:\*.* /s /d (this will unhide ALL files on said drive, even those that where hidden by the OS)...

there is also an option to HIDE drives, here use TweakUI to unhide them...

See here:


Hide Confidential Hard Disk Drive In Windows – TweakUI



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Spot on Ben!

Been a nightmare cleaning this machine, but I'm getting there, just a few programs to re-install and office and they are back up and running.

I think from now on they are going to back up their PC!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Upvote 0 Downvote
I think from now on they are going to back up their PC!
Click to expand...
now, I wouldn't put any money on that... unless you set it up, to automatically do a backup, most people will find it a bore or have the attitude "not today, tomorrow will do...", basically putting it off, until disaster hits again... been there seen that... ;)


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
bbb said:
been there seen that... ;)
Click to expand...
Ditto.

Of course, on my personal machines, at times, I don't mind the excuse to rebuild/reinstall one - though I rarely have the time anymore. I almost always learn something new.

Backing up the data can be very important though, for sure. And if folks who tinker with and fix PCs often don't do backup all that well, you KNOW the general masses aren't doing it. [smile]

Here's a few suggestions in case they wanted to set it up or you wanted to set it up for them:
1. Acronis True Image Home - probably the easiest one out there. They initially had some big issues with Windows 7, but hopefully fixed by now - But this being Windows XP, shouldn't be as big an issue anymore.

2. Terabyte Unlimited Image for Windows - program works very well. May not be quite as clear-cut as Acronis, but I thought it was pretty straight forward. Also, if you want to get really techie with it, you can build a custom restore disk for the specific computer - pretty neat, actually. It'll boot up like the current OS (can even do a Win7 lookalike bootable disk), allowing the user to select a backup file to restore from any connected source. For instance, if you run regular/automated backups (via a schedule) to an external hard drive, you can point that program at the hard drive, pick the point you want to restore, and set it to work. You can also use their Boot It NG to do ALL SORTS of things including backup and restoration. It's worth at least playing with one time. I keep saying I'll set my own systems up with it.. but never do "get 'round to it".

3. For anyone with Windows 7, the Windows Backup is said to be pretty good. I've created a backup image before, but never really tested it. The backup process built in to Windows probably is good enough for most home users, I suppose. But I don't know that I'd depend on it if I REALLY wanted a good solution. The terabyte unlimited one seemed to be the best when I set it up for someone else.

4. Of course there's also Norton Ghost which some will swear by as well. I've used it, but rarely, and been a while.

 
Upvote 0 Downvote
Here's a few suggestions in case they wanted to set it up or you wanted to set it up for them:
Click to expand...
5. Home: Paragon Backup & Recovery 10 Suite used it before and found it easier to set it up than Acronis...

for businesses there is a Server version available as well...



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
We use depositit remote backup and CA Arc Serve to USB device :)

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Upvote 0 Downvote
I think I saw this malware yesterday. I could not beat it with the time I was given. Symptoms and what I tried:

All Desktop icons missing and folders on C: hidden/read only

Getting pop ups about "disk full" and "delayed write failed" - likely malware-generated as hard drive was not full.

Malwarebyte's would not install (strange error during install) in Safe Mode.

MBAM wouldn't even install after running RKILL in safe mode

TDSSKiller wouldn't run in safe mode.

A scan using a BartPE CD and Mcafee command line found nothing in c:\windows\system32 (didn't scan the whole system due to time)

Combofix would also not run - it would start but it never got to the Stage 1 on the screen.

Not sure what else I might have done. Reading around, I see that attaching it as a slave drive and scanning is not helping much either. Need to know what this thing is called and how to attack it. It is one of the best (worst) new malware I've seen.
 
Upvote 0 Downvote
It is one of the best (worst) new malware I've seen.
Click to expand...
yup, damn frustrating indeed.

I installed XP onto a the D: partition and will be wiping the old windows on the C:

It took hours and is so savere that i don't think you have much choice but to re-install, though a repair install should give you enough to get avast running and wipe the darn thing, like it did for us!

every file on the computer was marked hidden so marking them all unhidden is not the right thing to do, some are meant to have that attribute!

The most annoying thing of all is not seing more of these assholes on TV getting 30+ year jail sentences.

Come on governments! stop these scammers and do something about it, USA extradite UK guy for accessing government systems when they hadn't even password protected the system.

I guess finding real criminals is just too difficult!


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Upvote 0 Downvote
I'm guessing I should have given myself the following advice, but I didn't have time to do any more scans:

GMER scan
DDR scan


Anybody know what it's called??

The laptop wasn't worth spending the money (my time) to do any more to it.

Remember: No malware = 1/2 of my business gone. So, love to hate them. Perverse/Rejoice.
 
Upvote 0 Downvote
If confronted by this, I'd have begun with Process Explorer (the pause process is neat), once all traces of the malware were tracked and container processes paused, track all startups for them with Autoruns ready for unchecking. Then kill all affected processes, uncheck their startups, restart Explorer (it's usually infected so has to be paused, killed, restarted) then tried to clear out the infectors and traces with MBam, etc.

If that failed, coffee time and think about it some more.
 
Upvote 0 Downvote
I'm not understanding what you mean by the "pause process" feature and I've been using Process Explorer for a long time. You mean "suspend"?? How does that help with malware?

Un-checking a suspicious file in Autoruns did NOT stop all pieces of the malware from running. It's likely a rootkit and you often don't see those in Autoruns.

You also didn't read when I said I couldn't get MBAM to install - period.
 
Upvote 0 Downvote
I did read your post.

Sorry, suspend it is. It helps because if you kill a process that's protected by malware, it's either blocked from being killed or it restarts it. So, if you suspend all processes containing malware, you can then kill them successfully because there's nothing running to stop you or that can restart them.

Similar with Autoruns, if you don't suspend first, the running malware will block the removal or replace the autostart feature.

Once you've killed the running malware processes and their autoruns, there's a very good chance of running or installing programs you couldn't previously.

Again, if you suspect a rootkit, run TDSSkiller/Gmer once the processes have been killed. And unless the rootkit is triggered by a bootkit, it usually is logged by Autoruns - look for "file not found".
 
Upvote 0 Downvote
a word of advice here, most of these types of malware hide the exe's under the DEFAULT USER's Path...

The malware that I came across, ransom-ware, was rather easy to kill, but the following clean up (reshowing the hidden files, hiding those that should be hidden again, etc.) took hours...

it does sound like it was a bit different that the one that Goom mentioned, I got the baddy only after slaving the HDD to my main PC and running a plethora of AV/AM apps against it...

and I still do not know what it was/is called...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
I should have noted the pop-up that was showing up when the PC booted (fake anti-malware or system maintenance software) but I didn't. But that may not be the only piece of malware on the machine.

We really can't analyze this very well because everybody might be referring to a different bit of malware.

All I know is that I tried everything I could (minus GMER) and I couldn't gain any traction against it.
 
Upvote 0 Downvote
BBB
another star for you!
my daughter came to me yesterday in a panic saying everything on her laptop was gone.

i remembered reading you post a while back and after AV/MW scans i checked the attributes of her folders and found them all hidden.

was fortunate that i got everything back and warned her about clicking on links.

this was the second time for her, the first time it was the fake recovery bug and then this one.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
180
Oorde
Oorde
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
157
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
168
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
145
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
339
Yoko Littner
Yoko Littner

Part and Inventory Search

Sponsor

Back
Top