I have repaired three of these so far (on business systems) and each had to be reloaded after the files were located and backed up cleanly. It just drops too many turds in too many places to clean up safely by hand.
Malwarebytes and others will remove the rogue scareware, but they will NOT repair all the changes made to the registry. The scareware is no longer dangerous or annoying per se after cleanup, but several standard windows functions no longer work as expected...
Thank you, Ken. Just emailed it to several of the folks I support in hopes of catching them before this thing does.
EmmyJane
Member Profile
Thanks for the heads up Ken. Had I taken the time to read your post thoroughly earlier, I wouldn't have fallen for it tonight. :-(
Note to everyone else. Follow Ken's link and don't be as stupid as I was. :-)
EmmyJane
Member Profile
Alright Ken, am I ever going to find these files on my own, or is it time to call in the professionals (that's you)?
bump to see if it will reset the "last post by" this time
biankat
Member Profile
Grrr. I'm never affected by these malicious things. Unfortunately my work comp was hit with a vengeance on Tuesday. Our IT people 'fixed' the attack, but now all my desktop folders and files are gone, and my IE favorites are nowhere to be seen. I have a request into the IT peeps again, but is there something I can search in the meantime? The geek.com article's suggestion is doing nothing for me.
I see the step by step with links I had posted here was once again eaten by the spam filter. I could see it for several days but apparently no one else could. I will try to reconstruct it and repost with fewer links
later today.
@biankat: Apparently one of the things this malware does is hide your files by setting the "hidden" attribute to "on". The files are there but not visible.
Instruction for showing hidden files in Windows XP, Vista, and Windows 7 can be found here:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
There's also an executable called Unhide.exe that you can download and run that will remove the hidden attribute on your files making them visible again.
http://download.bleepingcomputer.com/grinler/unhide.exe
There's an extensive cleanup article here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
This site is pretty busy with ads, so please look and read carefully. You usually need to scroll down at least one full page length to see the actual content/instructions. The information itself appears to be accurate and legitimate.
Hope this helps
Also, a bit of advice for Windows Users who might have yet to run into this:
Never click anywhere on a fake AV or rogue to try to close it. Use the back button to get off the website, or use alt F4 to close the browser. It's a good rule of thumb not to reboot when you know that you have become infected. Deal with the infection first.
Hmm. Two replies and this thread still shows biankat as the last poster.
Sorry, I just fished the replies out of the spam filter. If you have sent a post with multiple URLs, it not only suspects that is spam, it then thinks subsequent posts are spam. There's a lot of true spam it catches so I won't deactivate it but do flag me fast if you suspect your post has been eaten (as chrisma did). On a slow day I can check the spam filter a few times to look for random casualties but today is not a slow day and I will be writing news furiously until and unless flagged (plus more field coverage). Thanks for your patience AND for helping each other! - Tracy
Thanks, Tracy!
Good to know about the multiple links issue. I'll try to limit those in future posts.
biankat
Member Profile
Thanks, charisma. That's exactly what it did. There's still some squirreliness going on though and I've told my IT guy about your suggestions. And thank you too, Ken :)
EmmyJane
Member Profile
Thanks everyone for the help. I'll give it a try tonight. I hope it works because all my precious Emmy pictures are on there.
Bleeping computer is a reputable site. I was a regular contributor there until I had health problems and cut down on the hours I spent retyping the same fixes over and over. I intend to get back to it but my stress level has been fairly low since I quit trying to help people who I cannot grill to get all the information needed to determine the problem.
All the locals that call me are not a problem. I usually have the right tools preinstalled on their system and/or can call them on the phone. :)
The links above in Chrisma's post are good info, especially unhide, which will make docs, music and regular files in each directory visible again.
It will also unhide some of the files windows hides by default so a couple of odd looking files will show up on the desktop in some versions.
If you want to be sure it has them all, boot with a ubuntu live cd and look at the drive. Linux uses a preceding dot to hide files on it's own files system so it ignores anything Windows/NTFS uses to hide files.
I still have not found any way to fix some of the menu items (core windows files) lost but that seems to be because the method used to create them during install is part of the proprietary links not documented in windows xp/vista/7.
I know there are programmers here in Seattle area who have enough info to fix this but it is probably not considered cost effective for MS (or any of the employed programmers I know) to pay anyone to kill a system and then dive into the code and create a fix when a reinstall (or a repair install) will do the job.
Anyone who gets caught by a variant can call me before panicking, any time the sun is up. (I get up early)
Google voice number: 8010fix -- (206) 801-0349
You must log in to post.
All contents copyright 2012, A Drink of Water and a Story Interactive. Here's how to contact us.
No photo reuse without permission.
Entries and comments feeds. ^Top^
westseattleblog
West Seattle Blog
West Seattle Blog