Cyber Tech Help Support Forums

Cyber Tech Help Support Forums (https://www.cybertechhelp.com/forums/index.php)
-   Malware Removal (https://www.cybertechhelp.com/forums/forumdisplay.php?f=25)
-   -   Win32/Fake Sys Def (https://www.cybertechhelp.com/forums/showthread.php?t=217388)

dmatt November 11th, 2011 04:07 PM

Win32/Fake Sys Def
 
My computer was infected with the Win32 trojan. I ran Microsoft Security Essentials and it showed that it removed and quarantined the files. However, when I click on Start, all my programs/files are not showing. I am not sure if they are completely wiped out or if they are hidden. I have read that the trojan hides files. How do I get these back? I can't access Windows Explorer or the Control Panel or even the Run icon under Start. It's completely empty. This happened a couple of weeks ago. I just turned on the computer again and I am again running Microsoft Security Essentials. It's going through a lot of files so again, they have to be there. The virus had disabled Task Manager and I can't even do Ctrl/Alt/Del.

Mosaic1 November 11th, 2011 06:24 PM

Is this windows xp? Are you able to reboot into Safe Mode command prompt only?
And finally, do you have a flash drive?

dmatt November 11th, 2011 10:11 PM

I can get into safe mode and it is Windows XP. I don't have a flash drive handy but I can get one.

Mosaic1 November 11th, 2011 10:28 PM

Which versoin of Safe Mode are you currently in and can you run anything?
I wanted you to boot to safe mode command prompt only. Then we could run a tool or two from a flash drive to show your files.

dmatt November 11th, 2011 10:45 PM

I was in regular safe mode and it's still empty. However, if I go to my other user (administrator), I can get into Control Panel. All Programs is still empty but My Documents, My Computer, Control Panel, Set Program Access and Defaults, and Run are available. Not sure if they will help me with my files under my other user name though.

Mosaic1 November 11th, 2011 11:08 PM

Code:

Please download RogueKiller
http://tigzy.geekstogo.com/Tools/RogueKiller.exe
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
 
Save it to your Desktop.

Now, close all open programs.

For Vista/Windows 7, right click the file and select: Run as Administrator
For XP, simply double-click RogueKiller.exe

When prompted, type 1 and Press Enter.

An RKreport.txt should appear on your Desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your reply.


I just want to see what happens there. And you're correct. We need the path to your user profile's temp folder in order to see if the infection moved the files. I'm about to leave. But if I don't get back tonight, I'll be back tomorrow for a bit.

Mosaic1 November 11th, 2011 11:10 PM

***** Also, under no circumstances should you empty your temp folder. If you do, or already have, some of your shortcuts will be lost.

dmatt November 11th, 2011 11:26 PM

Unfortunately, I can't get on the internet from that computer. I tried going in from the start menu but it says server not found. This sucks.

Mosaic1 November 12th, 2011 03:38 PM

Boot to Safe Mode with Networking. Then see if you can get on the internet. Or download the tool on a working machine get a flash drive, or burn it to CD then take it to the problem system and run it.

dmatt November 12th, 2011 04:46 PM

This is what it says. I have to type it myself from the other computer:

Operating System Windows XP (5.1.2600 service pack 3) 32 bits version. Started in Safe mode with network support.
User: Administrator (Admin rights)
Mode: Scan--Date: 11/12/2011 10:40:34

Bad processes: 0

Registry Entries: 2
(HJPOL) HKLM\[...]\System: disabletaskmg (1) - FOUND
[HJ] HKLM\[...]\Newstartpanel: {20D04FE0-3AEA-1069-A2D8-08002/b30309/d}

Particular Files/Folders: ***
Driver: [Not loaded] ***
Infection: ***
Hosts File ***
127.0.0.1 local host

Finished: <<RKreport [1].txt>>
RKreport [1].txt

dmatt November 12th, 2011 04:52 PM

The report (not the Notepad one) says registry entries found!! Choose mode 2 for deletion. Should I delete?

Mosaic1 November 12th, 2011 04:59 PM

Yes.

dmatt November 12th, 2011 05:00 PM

Ok. What's next?

Mosaic1 November 12th, 2011 05:19 PM

That restriction you removed may not have enabled Task Manager. The reason is that this policy can be set form 2 places. Restart your system, sign into your regular profile and see if task mmager works.

dmatt November 12th, 2011 05:26 PM

Start in safe mode again or normal?


All times are GMT +1. The time now is 11:47 PM.

Copyright © Cyber Tech Help. All rights reserved. All other trademarks are the property of their respective owners.