File hiding virus scewed me over - Help!
polycounter lvl 10
Last night my PC started getting these "hard disk error" messages, which didn't look very genuine, it was asking me to reboot my system to avoid data loss... i googled this, and it said it was a virus.
The thread i came across said that soon some software would pop up warning me of several fake viruses and would automatically reboot my system, after which it would "delete" all my files (it only hides them to make it seem they are deleted). Upon reboot it then asked me to purchase a copy of this program which would restore my data....
Of course, im not an idiot, so i didn't click it... Rebooted in safe mode and got rid of the virus.
BUT
Since that has happened, a few of my programs wont boot up. Photoshop is recieving an error saying "an unexpected and unrecoverable problem has occurred. Photoshop will now exit." followed by a runtime error.
Mudbox simple stops responding as soon as the loading screen appears.
All of these programs worked before... anybody who has had a similar experience or could give me some tips would be very useful.
Ta.
The thread i came across said that soon some software would pop up warning me of several fake viruses and would automatically reboot my system, after which it would "delete" all my files (it only hides them to make it seem they are deleted). Upon reboot it then asked me to purchase a copy of this program which would restore my data....
Of course, im not an idiot, so i didn't click it... Rebooted in safe mode and got rid of the virus.
BUT
Since that has happened, a few of my programs wont boot up. Photoshop is recieving an error saying "an unexpected and unrecoverable problem has occurred. Photoshop will now exit." followed by a runtime error.
Mudbox simple stops responding as soon as the loading screen appears.
All of these programs worked before... anybody who has had a similar experience or could give me some tips would be very useful.
Ta.
Replies
/\ this is what happen to me and I deleted It all myself, cancel It and hit crtl,alt,delete repeatedly till your computer lags enough where you can actually get into the task manager and kill it, whats happening to you is what happen to me and I figured It out this way, not the most intelligent but I can't get into safe mode on this machine. But that's good news for you since you can, so go into safe mode and look for those files, I didn't find many or any of those files but did find the nasty [random.exe] mine started with db9802.exe random numbers.
How I found out about It and knowing It was the one doing the above, I got the numbers and search for those in my machine, you have to get rid of It all or It will automatically regenerate with a different name every reboot.
Also use NoScript/NOTScript...
And use firefox/google chrome and delete/remove Internet explorer or block It from the net.
Basicaly what I do is reuse $!nz paths in regedit:
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run suspect exe here < delete or backup if unsure and then delete
then
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run suspect exe here < delete or backup if unsure and then delete
IF you have not restarted after you got infected (and that's why when you see something weird it's recommended to NOT REBOOT):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Delete any suspect entry in there or backup if unsure and then delete, this will avoid further integration of the malware into the system (like integrating a service at startup for instance)
When you've done that, bring the task manager, if you can. If you can't, start>execute>cmd
in the command prompt type tasklist.
Now identify any suspect application, kill it (in command prompt type taskkill /? to get the proper syntax if you don't know how to do it), if the evil exe comes back, then you have a service running restarting the malware. In that case start>execute>services.msc and stop the service responsible.
If you get the right one you should now be able to kill the malware's exe.
When all that is done, delete the files linked in the paths of registry. You should now regain control (again this is not garanteed but it works with 90% of what you often encounter on the net).
And start a scan with antivirus software and malware scanner to ensure complete removal.
That's how I did it with pctools2011 malware.
But then again I know this is a basic technic and completely useless with more advanced craps like rootkit or code injections.
It had relocated a load of my files into random places which needed to get moved back. It also disabled "view hidden files" which i fixed by adding a new Hkey, then i unhid all the files on my user. programs working as normal again!