Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old November 11th, 2011, 04:07 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
Win32/Fake Sys Def

My computer was infected with the Win32 trojan. I ran Microsoft Security Essentials and it showed that it removed and quarantined the files. However, when I click on Start, all my programs/files are not showing. I am not sure if they are completely wiped out or if they are hidden. I have read that the trojan hides files. How do I get these back? I can't access Windows Explorer or the Control Panel or even the Run icon under Start. It's completely empty. This happened a couple of weeks ago. I just turned on the computer again and I am again running Microsoft Security Essentials. It's going through a lot of files so again, they have to be there. The virus had disabled Task Manager and I can't even do Ctrl/Alt/Del.
Reply With Quote


  #2  
Old November 11th, 2011, 06:24 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
Is this windows xp? Are you able to reboot into Safe Mode command prompt only?
And finally, do you have a flash drive?
Reply With Quote
  #3  
Old November 11th, 2011, 10:11 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
I can get into safe mode and it is Windows XP. I don't have a flash drive handy but I can get one.
Reply With Quote
  #4  
Old November 11th, 2011, 10:28 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
Which versoin of Safe Mode are you currently in and can you run anything?
I wanted you to boot to safe mode command prompt only. Then we could run a tool or two from a flash drive to show your files.
Reply With Quote
  #5  
Old November 11th, 2011, 10:45 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
I was in regular safe mode and it's still empty. However, if I go to my other user (administrator), I can get into Control Panel. All Programs is still empty but My Documents, My Computer, Control Panel, Set Program Access and Defaults, and Run are available. Not sure if they will help me with my files under my other user name though.
Reply With Quote
  #6  
Old November 11th, 2011, 11:08 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
Code:
Please download RogueKiller
http://tigzy.geekstogo.com/Tools/RogueKiller.exe 
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
 
Save it to your Desktop.

Now, close all open programs.

For Vista/Windows 7, right click the file and select: Run as Administrator
For XP, simply double-click RogueKiller.exe 

When prompted, type 1 and Press Enter.

An RKreport.txt should appear on your Desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your reply.

I just want to see what happens there. And you're correct. We need the path to your user profile's temp folder in order to see if the infection moved the files. I'm about to leave. But if I don't get back tonight, I'll be back tomorrow for a bit.
Reply With Quote
  #7  
Old November 11th, 2011, 11:10 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
***** Also, under no circumstances should you empty your temp folder. If you do, or already have, some of your shortcuts will be lost.
Reply With Quote
  #8  
Old November 11th, 2011, 11:26 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
Unfortunately, I can't get on the internet from that computer. I tried going in from the start menu but it says server not found. This sucks.
Reply With Quote
  #9  
Old November 12th, 2011, 03:38 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
Boot to Safe Mode with Networking. Then see if you can get on the internet. Or download the tool on a working machine get a flash drive, or burn it to CD then take it to the problem system and run it.

Last edited by Mosaic1; November 12th, 2011 at 03:41 PM.
Reply With Quote
  #10  
Old November 12th, 2011, 04:46 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
This is what it says. I have to type it myself from the other computer:

Operating System Windows XP (5.1.2600 service pack 3) 32 bits version. Started in Safe mode with network support.
User: Administrator (Admin rights)
Mode: Scan--Date: 11/12/2011 10:40:34

Bad processes: 0

Registry Entries: 2
(HJPOL) HKLM\[...]\System: disabletaskmg (1) - FOUND
[HJ] HKLM\[...]\Newstartpanel: {20D04FE0-3AEA-1069-A2D8-08002/b30309/d}

Particular Files/Folders: ***
Driver: [Not loaded] ***
Infection: ***
Hosts File ***
127.0.0.1 local host

Finished: <<RKreport [1].txt>>
RKreport [1].txt
Reply With Quote
  #11  
Old November 12th, 2011, 04:52 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
The report (not the Notepad one) says registry entries found!! Choose mode 2 for deletion. Should I delete?
Reply With Quote
  #12  
Old November 12th, 2011, 04:59 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
Yes.
Reply With Quote
  #13  
Old November 12th, 2011, 05:00 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
Ok. What's next?
Reply With Quote
  #14  
Old November 12th, 2011, 05:19 PM
Mosaic1 Mosaic1 is offline
Malware Removal Team Advisor
 
Join Date: Jun 2001
Posts: 4,783
That restriction you removed may not have enabled Task Manager. The reason is that this policy can be set form 2 places. Restart your system, sign into your regular profile and see if task mmager works.
Reply With Quote
  #15  
Old November 12th, 2011, 05:26 PM
dmatt dmatt is offline
Member
 
Join Date: Nov 2011
Posts: 79
Start in safe mode again or normal?
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 01:49 PM.