I have a question about virus and files

A

atlasmike

Member
Reaction score
6
I got a HP p2-1334 with windows 8. I picked it from a customer. as I was at their house I looked at the performance. The CPU was pegged to the max making it impossible to really do anything on the PC. So I took it and pulled the HDD and scanned it externally from my work horse box. It found one Trojan. I in turn got rid of it, so I though. I put the HDD back int the original computer. Runs fine till I plug it into a network cable. Back to running slow. So I suck it up and run MBAM even thought the machine is pegged at 100%. After an all night scan, it found 41 of the same Trojans. Trojan.chrome.INJ So after I got rid of these, It started running fine, and I was able to start the update process to get to 8.1. Well I notice that all the files he had on his desktop are gone now. Do virus infections delete docs and photos? Do they infect these types of files? I Backed up these files to my external HDD, but when I plugged it back into my work horse, my viper grabbed the same Trojan. and the files on my HDD that I had backed up are gone as well. I have done many virus removals, but this one takes the cake on lost data. Now I have to break the news to them that their files are gone. I tried two recuva attempts but only got junk files. When I took possession of the PC, Windows wasn't updated at all, Their AV was out of date and they were saving all their files on the desktop. I will have to tell them they need a external HDD to safely save their business files and pictures and tech them that updating their AV is in the up most importance. But is it possible for a virus to take all these files with it when it get removed? :confused::confused::mad::mad:
 
I would have started with an updated KRD scan as well as other bootable root kit detector enabled tools. Sounds like there may a kit in the MBR.
 
Sounds like a rootkit to me. I would check for a very small partition on the hard drive possibly holding this rootkit. Why I say that is because after detecting and removing trojans they automagically come back after connecting to the internet. I would run something like malwarebytes rootkit program or rougekiller to see what they turn up. I would also hook the drive up to a linux box and run "disks" and look at all the partitions.

Concerning the lost files on the desktop, Could be something like a trojan that creates a fake desktop. Or perhaps the settings for the desktop have been changed to hide all files or just some.

Since viruses in general is just code, The creator of the infection can have it do anything they want. So, Sure I suppose its possible.

Depending on how much time and effort you are putting into this I would consider a nuke and pave. Its the customers fault that they decided to not take security seriously and not invest in good AV software and also not keeping up on their updates - Charge accordingly.

coffee
 
atlasmike said:
Runs fine till I plug it into a network cable. Back to running slow. So I suck it up and run MBAM even thought the machine is pegged at 100%. After an all night scan, it found 41 of the same Trojans.
Click to expand...

I think you need to fine tune your virus cleaning process. If you see that putting in the network cable makes it slow, update MBAM, remove the cable, reboot and see if its normal. If it stays normal LEAVE THE NETWORK CABLE OUT until after you are done scanning. No point in having MBAM compete with the infection, which will generate a ton of heat, beat the heck out of the hard drive and slow the process down to a crawl. You also risk data loss (which may have happened here) if the HD was flakey to begin with.

Also, when you think a machine is running a virus that's pegging the machine to 100% you always try to kill the active tasks with something like rkill, killemall or manually hunting via autoruns, process explorer, etc. Before going into your virus cleaning process stream.

No point leaving the machine to try to cleanup viruses when active live infections are taking over the whole machine. You have to try to get the machine somewhat stable and then run long scans like an MBAM full.

Did you run any quick killers before the long MBAM like jrt, roguekiller, tdsskiller, adwcleaner ? I would always try to run an assortment of quick killers in safe mode and then reboot to see whats still running and then maybe run a few more.

I don't think the virus would have taken all the files off the desktop during the cleanup. Either the cleanup did it OR you have some kind of corrupt profile, policy setting, etc. Did you check MBAM's quarantine folder for missing files ? Did you do some basic checks like see if "show desktop icons" didn't get flipped to off ? Did you try something like tweaking.com AIO for some repairs that might make sense in this case. ?

Too many things to check, but I would not just assume the virus itself removed the icons.
 
Last edited:
Thanks for all your input guys. There many thing you have posted that I can do. After I removed the virus the desktop was gone and the tiles were gone. I had to nuke and pave. I turned it into glass. This is what happens when you never let windows update because you are afraid of getting a virus. When I dropped off the computer, I set them up with a Gmail App, set up automatic updates, updated their AV and they had the files I lost on a thumb drive at home. Lucky me. Lol.
 
In the future note that generally the files are hidden or moved. Also an image backup would have saved the current state beforehand.
 
NYJimbo said:
Maybe you did and maybe you didn't..... :p
Click to expand...
Time constraints told me I had to. I always like the challenges of removing malware without a wipe. But time wasn't on my side. I do need to come up with a malware removal system written in stone to follow.
 
First thing i always do in those situations is to scan with vba32 rescue it picks up more rootkits and spyware than any bootable av out there.
If its speed roguekiller,adwcleaner,jrt then mbam and autoruns for final cleanup.
 
atlasmike said:
I do need to come up with a malware removal system written in stone to follow.
Click to expand...

If only 2 or 3 antivirus products removed everything, and the coding 'evil-doers' repented, and stopped making new OS exploits!

(Until then, nuke and pave will still be sometimes required, and, is certainly safer)
 
Atlasmike
I have to agree with you that you need a systematic way of handling a virus.
Cleaning a computer and returning it to the client with everything intact will set you apart from both the large and small outfits that use a N&P as an easy solution.
You should also have a signed agreement/contract that states that data backup is the responsibility of the owner and any computer repair may entail data loss.

This is the basic approach that I take to virus infections.

Here are my steps

Remove the passwords.

Image the drive.

If at all possible get running in normal mode with killemall or msconfig diagnostic startup. If that won't work, I look for a good restore point to start from. Remember that most tools expect to run in normal mode. If I can't get there, I boot with DrWeb LiveDisk and let it do its Kaзaчoк dance.

Turn off Windows update. (So it doesn't try to install updates while I am doing other things.)

Remove all junk and temp files and all but the last three restore points (no sense in scanning those)

Set a restore point.

Temporarily add some RAM to speed my next processes (based on this, I might suggest to the client a RAM upgrade as an up-sell. I have never had them refuse that)

MBAR. I have dumped TDSSkiller, at the suggestion of users from here, in favor of MBAR from malwarebytes.

MBAM.

Hitman Pro

ADWCLeaner (replacement for SAS, I don't know if it is technically any better, I just like the interface :P)

JRT

At this time I get out of diagnostic mode and use Autoruns to look for anything I can disable on startup. As an aside, lately it have been leaving JAVA update and FLASH update in the auto runs because of all the spoof websites that suggest downloading an update.

Check that necessary processes are running and I use D7's tools to reset and repair services.

Now that the virus removal portion is done, I move to the tuneup.

WSUS offline update.

Turn on windows update.

PatchMyPC to update all the software and add anything they should have such as TeamViewer (the remote program I use).

Update and scan with whatever antivirus they are using.

Remove the RAM I temporarily installed.

Call the client and make suggestions for changes and upgrades. eg. Change antivirus, add MBAM Pro, add RAM, Upgrade HDD, retire this computer and get a new one "I will be happy to migrate all your important documents and files to the new computer".
 
atlanticjim said:
Atlasmike
I have to agree with you that you need a systematic way of handling a virus.
Cleaning a computer and returning it to the client with everything intact will set you apart from both the large and small outfits that use a N&P as an easy solution.
You should also have a signed agreement/contract that states that data backup is the responsibility of the owner and any computer repair may entail data loss.

This is the basic approach that I take to virus infections.

Here are my steps

Remove the passwords.

Image the drive.

If at all possible get running in normal mode with killemall or msconfig diagnostic startup. If that won't work, I look for a good restore point to start from. Remember that most tools expect to run in normal mode. If I can't get there, I boot with DrWeb LiveDisk and let it do its Kaзaчoк dance.

Turn off Windows update. (So it doesn't try to install updates while I am doing other things.)

Remove all junk and temp files and all but the last three restore points (no sense in scanning those)

Set a restore point.

Temporarily add some RAM to speed my next processes (based on this, I might suggest to the client a RAM upgrade as an up-sell. I have never had them refuse that)

MBAR. I have dumped TDSSkiller, at the suggestion of users from here, in favor of MBAR from malwarebytes.

MBAM.

Hitman Pro

ADWCLeaner (replacement for SAS, I don't know if it is technically any better, I just like the interface :P)

JRT

At this time I get out of diagnostic mode and use Autoruns to look for anything I can disable on startup. As an aside, lately it have been leaving JAVA update and FLASH update in the auto runs because of all the spoof websites that suggest downloading an update.

Check that necessary processes are running and I use D7's tools to reset and repair services.

Now that the virus removal portion is done, I move to the tuneup.

WSUS offline update.

Turn on windows update.

PatchMyPC to update all the software and add anything they should have such as TeamViewer (the remote program I use).

Update and scan with whatever antivirus they are using.

Remove the RAM I temporarily installed.

Call the client and make suggestions for changes and upgrades. eg. Change antivirus, add MBAM Pro, add RAM, Upgrade HDD, retire this computer and get a new one "I will be happy to migrate all your important documents and files to the new computer".
Click to expand...

++Rep excellent process. Especially like that last part about upselling to the client and making recommendations for software and hardware recommendations if needed.
 
atlanticjim said:
Atlasmike
I have to agree with you that you need a systematic way of handling a virus.
Cleaning a computer and returning it to the client with everything intact will set you apart from both the large and small outfits that use a N&P as an easy solution.
You should also have a signed agreement/contract that states that data backup is the responsibility of the owner and any computer repair may entail data loss.
Click to expand...
+1
OP mentioned time constraints. Were they yours or theirs? Does the client know how long it will take them to get everything back in working order, even with a backup of their files on a flash drive?
For most people, especially business customers, the data and setup are more valuable than the hardware. I've had clients live with a slower machine rather than upgrade because they didn't want to risk losing their configuration. It's sometimes a tough sell to show them we can do it.
 
atlanticjim said:
Atlasmike
I have to agree with you that you need a systematic way of handling a virus.
Cleaning a computer and returning it to the client with everything intact will set you apart from both the large and small outfits that use a N&P as an easy solution.
You should also have a signed agreement/contract that states that data backup is the responsibility of the owner and any computer repair may entail data loss.

This is the basic approach that I take to virus infections.

Here are my steps

Remove the passwords.

Image the drive.

If at all possible get running in normal mode with killemall or msconfig diagnostic startup. If that won't work, I look for a good restore point to start from. Remember that most tools expect to run in normal mode. If I can't get there, I boot with DrWeb LiveDisk and let it do its Kaзaчoк dance.

Turn off Windows update. (So it doesn't try to install updates while I am doing other things.)

Remove all junk and temp files and all but the last three restore points (no sense in scanning those)

Set a restore point.

Temporarily add some RAM to speed my next processes (based on this, I might suggest to the client a RAM upgrade as an up-sell. I have never had them refuse that)

MBAR. I have dumped TDSSkiller, at the suggestion of users from here, in favor of MBAR from malwarebytes.

MBAM.

Hitman Pro

ADWCLeaner (replacement for SAS, I don't know if it is technically any better, I just like the interface [emoji14])

JRT

At this time I get out of diagnostic mode and use Autoruns to look for anything I can disable on startup. As an aside, lately it have been leaving JAVA update and FLASH update in the auto runs because of all the spoof websites that suggest downloading an update.

Check that necessary processes are running and I use D7's tools to reset and repair services.

Now that the virus removal portion is done, I move to the tuneup.

WSUS offline update.

Turn on windows update.

PatchMyPC to update all the software and add anything they should have such as TeamViewer (the remote program I use).

Update and scan with whatever antivirus they are using.

Remove the RAM I temporarily installed.

Call the client and make suggestions for changes and upgrades. eg. Change antivirus, add MBAM Pro, add RAM, Upgrade HDD, retire this computer and get a new one "I will be happy to migrate all your important documents and files to the new computer".
Click to expand...
I printed this out. [emoji3]
 
altrenda said:
+1
OP mentioned time constraints. Were they yours or theirs? Does the client know how long it will take them to get everything back in working order, even with a backup of their files on a flash drive?
For most people, especially business customers, the data and setup are more valuable than the hardware. I've had clients live with a slower machine rather than upgrade because they didn't want to risk losing their configuration. It's sometimes a tough sell to show them we can do it.
Click to expand...
They were mine. But all is well now. They had the info backed up and it was a simple copy and paste
 
You must log in or register to reply here.

Similar threads

Multi-Visions
Onedrive issues need help
Replies
3
Views
545
britechguy
britechguy
callthatgirl
Does Classic Outlook and New Outlook share any data files?
Replies
0
Views
152
callthatgirl
callthatgirl
thecomputerguy
Members of a team are unable to add/edit files unless they are an Owner.
Replies
3
Views
180
callthatgirl
callthatgirl
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
493
NviGate Systems
NviGate Systems
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
1K
trevm999
trevm999
Back
Top