Never Seen This One Before

[Kodiak]

What it does is:

1. Sets all files as hidden so it appears all your data is gone
2. Nothing works. combofix, Malewarbytes, spybot, internet, nothing in safe mode or otherwise.
3. System restore won't work even when you cancel the repair and go through the back door.

I have uninstalled malewarbytes with the uninstaller tool and tried to reinstall it and it gives me an access denied message and also spybot will give the same message.

I finally got combofix to run once on one of the machines I encountered this beast on and it found nothing. I have seen 4 of these now from different customers and have had to format all of them.

I have used everything in my arsenal and have had no success. I have also exhausted every suggestion on the internet.

[CeeBee]

Try a preinstall environment. Bart's CD or miniPE.

[MobilePCPhysician]

Try slaving the drive in a clean computer and run virus, malware tools.

What version of Windows?

[Niclo Iste]

It's an infection. My buddy had to deal with that 3 weeks ago. Watch out it will migrate to your pc if you slave it even as a usb and in safe mode. Best get your AVs up to date and be using a good one to work on this. I'll see if I can talk to him and find out what he had to use.

[Ferrit]

likely using some rootkit technology
Avira used to offer a dos based rootkit removal tool not sure its still out there though'

[slgrieb]

My preferred method for difficult removals is generally slaving the drive to another machine, and I always have an older machine that only gets used for that and data recovery. Emisoft still offers a command line version A-Squared that you can run from Safe Mode with Command Prompt. In fact, Combofix may run OK from a command prompt,but I've never tried it. Of course Malwarebytes and others offer plugins for Bart PE. Check out ubcd4win.com for more info and a list of tools. Still think slaving the drive is easier and quicker, though. Of course, you still have to do followup scans in regular mode from the infected drive to be sure you kill any stragglers.

[Zonie]

Had this problem with some of my clients and found this gem from Bleeping Computer:
http://download.bleepingcomputer.com/grinler/unhide.exe . Just run the unhide.exe and it will uncover all the files and profile. You can run it from a flash drive since anything you put on the PC will disappear.

[Guts3d]

Nice find, Zonie! And I am proud to say I usually use the same method as Slgrieb, so it must be pretty good!

[Kodiak]

Was out of town for the weekend and got a call today for the same one again. It is coming in tomorrow so I will try the suggestions and see what happens. I did have one guy come in with it a week ago and also his external drive had all the files hidden on it too. This is a nasty one.

Is that right Slgrieb, I haven't checked for a long time for Malwarebytes for UBCD so I will check it out. Used a-squared a few times a long time ago but found it a little confusing then I will check it out again.

I will try that also Zonie.


My usual is to try a restore point first.
combofix
ccleaner
malewarebytes
spybot
reset IE
destroy all restore points
go through msconfig
sometimes run superantispyware if things are still found by spybot
Hijackthis
Update
Defrag

Anything I can add here?

[MobilePCPhysician]

Don't try a restore point first. Disable the restore feature, then run all the antiuvirus, antiu-malware programs.

[slgrieb]

Was out of town for the weekend and got a call today for the same one again. It is coming in tomorrow so I will try the suggestions and see what happens. I did have one guy come in with it a week ago and also his external drive had all the files hidden on it too. This is a nasty one.

Is that right Slgrieb, I haven't checked for a long time for Malwarebytes for UBCD so I will check it out. Used a-squared a few times a long time ago but found it a little confusing then I will check it out again.

I will try that also Zonie.


My usual is to try a restore point first.
combofix
ccleaner
malewarebytes
spybot
reset IE
destroy all restore points
go through msconfig
sometimes run superantispyware if things are still found by spybot
Hijackthis
Update
Defrag

Anything I can add here?

These days, I run TDSSKiller before ComboFix. Many times I've found that ComboFix may report a rootkit (possibly identified as TDSS) and wants to reboot to complete the removal, only to have the next pass of ComboFix repeat the process, while TDSSKiller usually terminates the infection. Conversely, I've done a couple of removals in the last week where TDSSKiller found no infections, but ComboFix deleted files marked as infected with TDSS. It all changes daily.

Generally, I've dumped all over SuperAntispyware in several forums, and only had to eat crow a couple of times when it found stuff other programs missed. Overall, I think it's ineffective for finding anything other than cookies, and installing and running it is a waste of time. The stuff it misses vastly outweighs the stuff it finds. Malwarebytes is far superior, and Spybot does a better job of finding and removing potentially harmful leftovers from malware; plus the Immunize feature in Spybot is the best Hosts file blocking utility around.

I only run Ccleaner's Registry Editor if I have a connection issue or browser issue that I'm unable to repair with other utilities.

[Zonie]

Another tool I found was the Bitdefender Rescue CD which can be booted to and also updates the definitions automaticaly as long as you have a internet connection. You can find the ISO HERE.

[Kodiak]

Don't try a restore point first. Disable the restore feature, then run all the antiuvirus, antiu-malware programs.

Curious why you wouldn't run a restore point first? I have found it to in a lot of cases it gets rid of almost all the infection and Malewarebytes and spybot find nothing. I do disable it and reboot to remove the restore points after.

[futuretech]

I am curious as well, i leave the restore points intact until i am sure after removing the infection that the computer will start.
I then remove the restore points. That way if something i do during removal causes a non booting windows it can be undone.
It does make me start all over again but at least i havent lost anything.

[Niclo Iste]

In the event an infection is making you worry that you may need to rely on the infected restore points I'd prefer to go the direction of imaging the drive and doing the removal process with the least likely chance of letting the infection come back. That way if it goes to being unusable you can reload the image and start over rather than have a restore point mess up a cleaning that could have completed without fail.