Important info about fake malware tool

Hammyman

I've just had a laptop come in. It is the first one I've had my hands on with this particular fake security tool.

This is the one where it pops up all kinds of warnings, you find you cannot access any of your files and all the entries in the start menu goes missing. When you fire up Windows Explorer, your hard drive seems completely empty.

Now looking on the interweb, the sites I've seen claim that this software relocates all the files so you can't find them. THIS IS NOT TRUE.

IT SETS ALL FILES TO HIDDEN

On XP...
Start the computer in Safe Mode. Click on Start, My Computer. Click on the C drive. Next click on the Tools menu and select Folder Options. In the next window click on the View tab and then select "Show Hidden files and folders" then click on Apply, OK and close the dialogues and ET VOILA - you'll see all the files and folders in faded icons. Now click on C, select all the files and folders, right click and select properties. Untick the "Hidden" box at the bottom then apply and OK. You've now changed them back from hidden so you'll now see all the start menu entries again, your desktop icons, all your files and folders and all your desktop shortcuts.

You'll still need to remove the malware though however at least you know where your files have gone - NOWHERE. :D

Hope that helps.

sillygoose

I dealt with a PC with that one on, little blighter even knobbled ctrl-alt-del so you couldn't task manager to stop any processes. Some anti-malware wouldn't even detect it or it shutdown the PC before the scan got far enough.

but combofix kicked its butt enough to get control back and start cleaning up.

The_Grandmaster

Regarding unhide.exe (I think it's called) on bleeping computers - does it do the steps outlined above?

GunJack

The_Grandmaster wrote: »

Regarding unhide.exe (I think it's called) on bleeping computers - does it do the steps outlined above?

it just does what it says on the tin

The_Grandmaster

Was just wondering if it could be done as a first step before running malwarebytes and hijackthis etcetera...

GunJack

The_Grandmaster wrote: »

Was just wondering if it could be done as a first step before running malwarebytes and hijackthis etcetera...

which, unhide.exe or the manual method?? you could do either, alongside rkill, as first steps. Really depends if you want to see rhe files before you clean,

RussJK

First one I saw like this was in March, a fake HDD program. Came bundled with TDSS, but hadn't been rootkitted yet.

23/03/2011 14:00:30
mbam-log-2011-03-23 (14-00-30).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 323040
Time elapsed: 1 hour(s), 57 minute(s), 43 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 123
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 25
Files Infected: 49

c:\programdata\33021704.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\Test\AppData\Local\Temp\tmpAFBF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Test\AppData\Local\Temp\Low\ba9ff1f5.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\Test\AppData\Local\Temp\Low\f25cd6e7.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\Users\Test\downloads\quicktime_update_kb246532.exe (Adware.PlayMP3) -> Quarantined and deleted successfully.
c:\Users\Test\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.


Loads of Questbrowse, ShoppersReport, and ClickPotato entries as well.

Definitely a case of the person having a slow computer for months, until the obvious infection came and Malwarebytes got most of it clear.

debitcardmayhem

I seem to remember posting attrib -H /S a couple of weeks ago as an alternative

spud17

debitcardmayhem wrote: »

I seem to remember posting attrib -H /S a couple of weeks ago as an alternative

And got a bit of grief for your (correct IIRC) diagnosis.

debitcardmayhem

spud17 wrote: »

And got a bit of grief for your (correct IIRC) diagnosis.

Must have been a weekend or an evening then Spud