-
May 27th, 2011, 01:53 PM
#1
Never Seen This One Before
What it does is:
1. Sets all files as hidden so it appears all your data is gone
2. Nothing works. combofix, Malewarbytes, spybot, internet, nothing in safe mode or otherwise.
3. System restore won't work even when you cancel the repair and go through the back door.
I have uninstalled malewarbytes with the uninstaller tool and tried to reinstall it and it gives me an access denied message and also spybot will give the same message.
I finally got combofix to run once on one of the machines I encountered this beast on and it found nothing. I have seen 4 of these now from different customers and have had to format all of them.
I have used everything in my arsenal and have had no success. I have also exhausted every suggestion on the internet.
Jesus replied: "'Love the Lord your God with all your heart and with all your soul and with all your mind
-
May 27th, 2011, 03:31 PM
#2
Registered User
Try a preinstall environment. Bart's CD or miniPE.
Protected by Glock. Don't mess with me!
-
May 27th, 2011, 10:11 PM
#3
Registered User
Try slaving the drive in a clean computer and run virus, malware tools.
What version of Windows?
Sergeant WOTPP
-
May 28th, 2011, 09:43 AM
#4
Registered User
It's an infection. My buddy had to deal with that 3 weeks ago. Watch out it will migrate to your pc if you slave it even as a usb and in safe mode. Best get your AVs up to date and be using a good one to work on this. I'll see if I can talk to him and find out what he had to use.
One Script to rule them all.
One Script to find them.
One Script to bring them all,
and clean up after itself.
-
May 28th, 2011, 06:12 PM
#5
Registered User
likely using some rootkit technology
Avira used to offer a dos based rootkit removal tool not sure its still out there though'
-
May 29th, 2011, 09:33 AM
#6
Registered User
My preferred method for difficult removals is generally slaving the drive to another machine, and I always have an older machine that only gets used for that and data recovery. Emisoft still offers a command line version A-Squared that you can run from Safe Mode with Command Prompt. In fact, Combofix may run OK from a command prompt,but I've never tried it. Of course Malwarebytes and others offer plugins for Bart PE. Check out ubcd4win.com for more info and a list of tools. Still think slaving the drive is easier and quicker, though. Of course, you still have to do followup scans in regular mode from the infected drive to be sure you kill any stragglers.
-
May 29th, 2011, 11:13 AM
#7
Registered User
Had this problem with some of my clients and found this gem from Bleeping Computer:
http://download.bleepingcomputer.com/grinler/unhide.exe . Just run the unhide.exe and it will uncover all the files and profile. You can run it from a flash drive since anything you put on the PC will disappear.
It's not the computers that keep having problems, it's the users!!
-
May 30th, 2011, 05:45 AM
#8
Registered User
Nice find, Zonie! And I am proud to say I usually use the same method as Slgrieb, so it must be pretty good!
" I don't like the idea of getting shot in the hand" -Blackie in "Rustlers Rhapsody"
" It is a proud and lonely thing, to be a Stainless Steel Rat." - Slippery Jim DiGriz
-
May 30th, 2011, 06:47 PM
#9
Was out of town for the weekend and got a call today for the same one again. It is coming in tomorrow so I will try the suggestions and see what happens. I did have one guy come in with it a week ago and also his external drive had all the files hidden on it too. This is a nasty one.
Is that right Slgrieb, I haven't checked for a long time for Malwarebytes for UBCD so I will check it out. Used a-squared a few times a long time ago but found it a little confusing then I will check it out again.
I will try that also Zonie.
My usual is to try a restore point first.
combofix
ccleaner
malewarebytes
spybot
reset IE
destroy all restore points
go through msconfig
sometimes run superantispyware if things are still found by spybot
Hijackthis
Update
Defrag
Anything I can add here?
Last edited by Kodiak; May 30th, 2011 at 06:56 PM.
Jesus replied: "'Love the Lord your God with all your heart and with all your soul and with all your mind
-
May 30th, 2011, 10:56 PM
#10
Registered User
Don't try a restore point first. Disable the restore feature, then run all the antiuvirus, antiu-malware programs.
Sergeant WOTPP
-
May 30th, 2011, 11:00 PM
#11
Registered User
Originally Posted by Kodiak
Was out of town for the weekend and got a call today for the same one again. It is coming in tomorrow so I will try the suggestions and see what happens. I did have one guy come in with it a week ago and also his external drive had all the files hidden on it too. This is a nasty one.
Is that right Slgrieb, I haven't checked for a long time for Malwarebytes for UBCD so I will check it out. Used a-squared a few times a long time ago but found it a little confusing then I will check it out again.
I will try that also Zonie.
My usual is to try a restore point first.
combofix
ccleaner
malewarebytes
spybot
reset IE
destroy all restore points
go through msconfig
sometimes run superantispyware if things are still found by spybot
Hijackthis
Update
Defrag
Anything I can add here?
These days, I run TDSSKiller before ComboFix. Many times I've found that ComboFix may report a rootkit (possibly identified as TDSS) and wants to reboot to complete the removal, only to have the next pass of ComboFix repeat the process, while TDSSKiller usually terminates the infection. Conversely, I've done a couple of removals in the last week where TDSSKiller found no infections, but ComboFix deleted files marked as infected with TDSS. It all changes daily.
Generally, I've dumped all over SuperAntispyware in several forums, and only had to eat crow a couple of times when it found stuff other programs missed. Overall, I think it's ineffective for finding anything other than cookies, and installing and running it is a waste of time. The stuff it misses vastly outweighs the stuff it finds. Malwarebytes is far superior, and Spybot does a better job of finding and removing potentially harmful leftovers from malware; plus the Immunize feature in Spybot is the best Hosts file blocking utility around.
I only run Ccleaner's Registry Editor if I have a connection issue or browser issue that I'm unable to repair with other utilities.
Last edited by slgrieb; May 30th, 2011 at 11:09 PM.
-
May 31st, 2011, 08:50 AM
#12
Registered User
Another tool I found was the Bitdefender Rescue CD which can be booted to and also updates the definitions automaticaly as long as you have a internet connection. You can find the ISO HERE.
It's not the computers that keep having problems, it's the users!!
-
May 31st, 2011, 10:11 AM
#13
Originally Posted by MobilePCPhysician
Don't try a restore point first. Disable the restore feature, then run all the antiuvirus, antiu-malware programs.
Curious why you wouldn't run a restore point first? I have found it to in a lot of cases it gets rid of almost all the infection and Malewarebytes and spybot find nothing. I do disable it and reboot to remove the restore points after.
Jesus replied: "'Love the Lord your God with all your heart and with all your soul and with all your mind
-
May 31st, 2011, 10:23 AM
#14
I am curious as well, i leave the restore points intact until i am sure after removing the infection that the computer will start.
I then remove the restore points. That way if something i do during removal causes a non booting windows it can be undone.
It does make me start all over again but at least i havent lost anything.
-
May 31st, 2011, 11:07 AM
#15
Registered User
In the event an infection is making you worry that you may need to rely on the infected restore points I'd prefer to go the direction of imaging the drive and doing the removal process with the least likely chance of letting the infection come back. That way if it goes to being unusable you can reload the image and start over rather than have a restore point mess up a cleaning that could have completed without fail.
One Script to rule them all.
One Script to find them.
One Script to bring them all,
and clean up after itself.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks