Can hardly believe how much damage this virus did

**lti** · 10-16-2011, 07:24 PM

Re: Can hardly believe how much damage this virus did

Originally posted by Uranium-235

viruses don't have an exception for a FOLDER called autorun.inf, which has to be completly deleted before it can make the file

Not yet...

That could have gone in my list of stupid or retarded things malware writers have done. There was a program that created a folder called autorun.inf on every removable storage device that was currently connected to the computer. I thought that it would be easy to replace that folder with a malicious autorun.inf file.

**c_hegge** · 10-16-2011, 07:39 PM

Re: Can hardly believe how much damage this virus did

If a scan with malwarebytes antimalware doesn't fix it, then I just use a Live CD to back up the user's documents, pictures, music, desktop and email client data to an external HDD and then format the computer and copy it back. If I miss something and they don't have their own back up then it's their problem. They should keep their data in standard locations lioke my documents and they should have their own backup.

**yyonline** · 10-16-2011, 09:16 PM

Re: Can hardly believe how much damage this virus did

Originally posted by c_hegge

If a scan with malwarebytes antimalware doesn't fix it, then I just use a Live CD to back up the user's documents, pictures, music, desktop and email client data to an external HDD and then format the computer and copy it back. If I miss something and they don't have their own back up then it's their problem. They should keep their data in standard locations lioke my documents and they should have their own backup.

I've found that combofix takes care of a lot of difficult to remove malware that malwarebytes can't remove. It sometimes requires multiple passes of combofix to get it all. With antivirus, malwarebytes and combofix I can usually fix about 85% of malware problems. The rest are either reformat or manual removal depending on how many difficult to reinstall programs (missing CDs, license keys, etc) there are and how much the owner wants to pay me for the time.

**kc8adu** · 10-16-2011, 11:19 PM

Re: Can hardly believe how much damage this virus did

i also see a lot of stuff that a reinstall is not an option.specialised stuff where the disks are long gone and mfr bankrupt.so i have to keep in practice.

**Th3_uN1Qu3** · 10-16-2011, 11:49 PM

Re: Can hardly believe how much damage this virus did

Originally posted by ratdude747

and what about the teacher's files? her gradebook may be there, among other things? once you have a lot of important (irreplaceable) files on your computer, you learn that reformatting is often a last resort.

Exactly. Moving all the data back and forth would have been a pain in the behind, especially since i'm not doing very well in the free space department.

**severach** · 10-25-2011, 10:16 AM

Re: Can hardly believe how much damage this virus did

ATTRIB does not unhide folders. Explorer can do it but it's a big hassle. Total Commander can do the whole drive at once including folders. Then I go back through and hide files that should be hidden.

**momaka** · 10-25-2011, 10:25 PM

Re: Can hardly believe how much damage this virus did

WTF! 2 weeks ago, I cleaned a virus from my school laptop that would spread itself on flash drives. Haven't had any problem at all in the 2 weeks that followed. Yesterday I opened my school laptop and plugged in my flash drive to get some files and that motherf***er was back again on my flash drive! I'm starting to suspect my family's computer is the culprit since I didn't have a problem for 2 weeks, but I did use my flash drive yesterday on my family's computer before I used it on my school laptop. Haven't used the flash drive anywhere else either.
Time to disable autorun, I guess. I already did that on my laptop yesterday after cleaning it up. Lets see if it comes up again.
I can see when it's back because it copies a malicious autorun.inf file on my flash drive, along with a hidden folder called "recycler" with a weird-named file in it.
I have hidden files and folders view enabled by default, so I can spot it right away.

**TBoneit** · 10-26-2011, 02:42 PM

Re: Can hardly believe how much damage this virus did

Originally posted by Th3_uN1Qu3

You can still do that in Windows from the cmd prompt.

I had a hunch so i also ran TDSSKiller and indeed i found a rootkit. After removing the rootkit a couple more nasties that ran on startup showed up... This time Avira removed those just fine. And yes i also scanned with Malwarebytes and removed another 10 items including a trojan downloader. The virus (or one of them at least) had also deleted the Windows Update service!

Now it's clean, except that the contents of some folders in the start menu are truly gone (not hidden, deleted). Same goes for the Administrative Tools folder, i wanted to check the Event Viewer because there's still an error sound played on startup, and i want to know what makes it. I'll open it from the command line. I'll prolly have to reinstall a bunch of programs.

Btw, i totally dig the keyboard on this thing. It's nice and clacky.

It's a Toshiba Satellite A200 btw.

If no one has run a temp file cleaner on the computer then go to http://www.bleepingcomputer.com and get a copy of unhide.exe, It typically will unhide all the hidden files that the virus hides and copy back all of the start menu shortcuts that the virus moves to a temp folder to scare the owner that the hard drive is going bad and to pay for the program to save it.

**Th3_uN1Qu3** · 10-26-2011, 10:08 PM

Re: Can hardly believe how much damage this virus did

Noted... However i gave the laptop back 2 weeks ago.

And it wasn't one of those scare programs - it didn't flash any ads or anything.

**lti** · 10-27-2011, 06:10 PM

Re: Can hardly believe how much damage this virus did

Was the virus still active? When I first read the post, it sounded like the executable had been removed already.

**TCKTMB** · 10-31-2011, 10:09 AM

Re: Can hardly believe how much damage this virus did

I've seen this 2X now, the first time on vista and I coppied the important files and format/installed 7. The second time I used combofix and it seemed to do the trick. http://www.bleepingcomputer.com/comb...o-use-combofix

**smason** · 10-31-2011, 08:12 PM

Re: Can hardly believe how much damage this virus did

I wonder sometimes what the virus authors are smoking.
If viruses were better written, a lot of people would be in real trouble.
Often times users wouldn't know they were infected if the system didn't slow down/crash etc.

Can hardly believe how much damage this virus did

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics