Malware question

silverbear · Oct 28, 2011

I got a call from my friend Angie this morning, she asked me to come up and take a look at her PC for her. It looks like she's picked up a piece of malware earlier today or last night, when she logs on a program called System Restore starts, and automatically scans the PC, showing all kinds of errors it allegedly found... however, when she runs her Norton Internet Security, it finds no major problems...

Now, here's where it gets weird; all of her programs in the start menu have disappeared, all of her icons on the desktop are gone too... I mean, when you click on the Programs the list says "Empty"...

I think the problem is an .exe file titled nxdmOFRWTny.exe; do any of y'all know anything about it??

One added piece of input-- when we go in on her husband's profile, the Internet Explorer icon is on the desktop, and the program works... however, that is the only program accessible, the Programs list also reads Empty...

Thanks in advance...

Jenky · Oct 28, 2011

silverbear;4206839 said:
I got a call from my friend Angie this morning, she asked me to come up and take a look at her PC for her. It looks like she's picked up a piece of malware earlier today or last night, when she logs on a program called System Restore starts, and automatically scans the PC, showing all kinds of errors it allegedly found... however, when she runs her Norton Internet Security, it finds no major problems...

Now, here's where it gets weird; all of her programs in the start menu have disappeared, all of her icons on the desktop are gone too... I mean, when you click on the Programs the list says "Empty"...

I think the problem is an .exe file titled nxdmOFRWTny.exe; do any of y'all know anything about it??

One added piece of input-- when we go in on her husband's profile, the Internet Explorer icon is on the desktop, and the program works... however, that is the only program accessible, the Programs list also reads Empty...

Thanks in advance...

I need to know exactly what the malware is called. The program you are mentioning is fake.

Install Malwarebytes. Turn off system restore, scan it with malwarebytes, clear the infection, turn on system restore again.

Your start menu programs have been moved to here I *think*. This is for XP. The file structuring is different for VISTA/7.
Check this spot first to see if they are indeed here, cause I may have run into this infection before.

(XP)- C:\Documents and Settings\Username\Local Settings\Temp
In my case there were three numbered folders inside C:\Documents and Settings\Username\Local Settings\Temp\smtmp folder. The folders were numbered 1, 2 and 4.

Inside the 1 folder was a folder named "Programs." This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder (for me) were the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder were the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

Also what operating system? Also go to folder options, click the view tab, and check mark the box that says "SHOW HIDDEN FILES AND FOLDERS."

I can assure you that all of your programs are still there and installed. If you go to the root directory and click on program files, you will see them. If you find an .exe for one of the programs, click it and it should still launch.

AND YES, I know, i'm all over the place with this lol.

Jenky · Oct 28, 2011

If you are doubting anything at all, backup all your data first.

YosemiteSam · Oct 28, 2011

Start backing up files ASAP.

It if wiped out the start up menu, you are probably better off creating a new user account and using that one AFTER you've cleaned up the virus.

When you load IE, go into the settings and make sure it isn't using a proxy. Sometimes it's a local proxy, sometimes it's a proxy outside. Definitely want to disable / get rid of it.

As noted by Jenky, get Malwarebytes and try to run it. Though sometimes if the virus is bad enough, it won't let you run it.

There is a Microsoft program called "autoruns" that you can download. It will show you everything from all possible places that "auto starts" on the computer. I would run that can go threw there looking for things that clearly shouldn't be running. (be careful though, you don't want to disable something you really need)

Good luck and stay off the shady pr0n sites! :laugh2:

silverbear · Oct 28, 2011

Jenky;4206851 said:
If you are doubting anything at all, backup all your data first.

The malware program is calling itself System Restore, FWIW...

Jenky · Oct 28, 2011

silverbear;4206868 said:
The malware program is calling itself System Restore, FWIW...

http://www.bleepingcomputer.com/virus-removal/remove-system-restore

You can try following those steps, if that's what you see.

silverbear · Oct 28, 2011

Jenky;4206850 said:
I need to know exactly what the malware is called. The program you are mentioning is fake.

I typed it exactly as it appeared in the msconfig box...

tupperware · Oct 28, 2011

I'd try booting up into safe mode. I think it's F8 that you need to keep tapping before the windows logo appears at boot. Load safe mode and then create a new user. Reboot, go back into safe mode and load the new user (Make sure you made him an admin when you created him) Install malwarebytes and any other anti-virus software you want other than Norton, since it's obviously not picking it up and do full system scans.

Also, you could download a bootable CD that will do virus scans too, to catch the virus before it loads up.

Yeagermeister · Oct 28, 2011

I've done battle with this crap many times and usually I end up backing up everything then wiping and reinstalling windows.

YosemiteSam · Oct 28, 2011

Yeagermeister;4207009 said:
I've done battle with this crap many times and usually I end up backing up everything then wiping and reinstalling windows.

Usually the best thing to do. Many times these malware or viruses damage the installation. Many times you end up getting random BSOD or reboots while you're working after you've cleaned it up.

Once the damage is done, sometime there is no way to completely clean the system up again. Those that isn't always the case.

Yeagermeister · Oct 28, 2011

Sam I Am;4207027 said:
Usually the best thing to do. Many times these malware or viruses damage the installation. Many times you end up getting random BSOD or reboots while you're working after you've cleaned it up.

Once the damage is done, sometime there is no way to completely clean the system up again. Those that isn't always the case.

I had it hide every file on the machine once. It would boot up just fine but when you opened the hard drive it would look like it was blank. :laugh1:

Bonecrusher#31 · Oct 28, 2011

silverbear;4206874 said:
I typed it exactly as it appeared in the msconfig box...

There's no need to reinstall windows(Unless your 'challenged' like that and I know your not)for a simple little malware issue.

Just run Malwarebytes' Anti-Malware and you will be fine. (Its Free, PM me if you need a link)

I had it twice on my work PC and few others at home this year alone.

silverbear · Oct 29, 2011

Jenky;4206871 said:
http://www.bleepingcomputer.com/virus-removal/remove-system-restore

You can try following those steps, if that's what you see.

EUREKA!!!

As soon as Isaw the screen captures, I knew we were on the right track... followed the instructions, and killed the rascal...

I now have bleepingcomputer.com bookmarked... I thank you, and Angie thanks you...

silverbear · Oct 29, 2011

tupperware;4206888 said:
I'd try booting up into safe mode. I think it's F8 that you need to keep tapping before the windows logo appears at boot. Load safe mode and then create a new user. Reboot, go back into safe mode and load the new user (Make sure you made him an admin when you created him) Install malwarebytes and any other anti-virus software you want other than Norton, since it's obviously not picking it up and do full system scans.

We got lucky there, on a hunch I went into her husband's profile, and it hadn't killed Internet Explorer over there, so I was able to download and run Malwarebytes...

Then Jenky turned me on to bleepingcomputer.com, which gave me the instructions to kill that sucker dead...

If we hadn't had access to IE on Jim's profile, I was gonna download the necessary programs on my laptop, save them to a thumb drive and use that to load it on Angie's PC...

silverbear · Oct 29, 2011

Sam I Am;4207027 said:
Usually the best thing to do. Many times these malware or viruses damage the installation. Many times you end up getting random BSOD or reboots while you're working after you've cleaned it up.

Once the damage is done, sometime there is no way to completely clean the system up again. Those that isn't always the case.

I advised Angie to do exactly that, and she really, really doesn't want to... so far, her PC is working correctly since we did the "fix", but if it goes snafu again I'm gonna insist on doing it...

Which probably means that I'll be the one reinstalling Windows, LOL...

silverbear · Oct 29, 2011

Bonecrusher#31;4207046 said:
There's no need to reinstall windows(Unless your 'challenged' like that and I know your not)for a simple little malware issue.

Just run Malwarebytes' Anti-Malware and you will be fine. (Its Free, PM me if you need a link)

I had it twice on my work PC and few others at home this year alone.

Yeah, Malwarebytes was the key to finding and rooting out the program... had to do just a liittle more to "unhide" all the programs that it had hidden...

That's what threw me for a loop; I'd seen these kinds of malware that "scan" your computer, then alert you to all kinds of (nonexistent) problems that you have, which they can fix if you'll just buy their program...

Then, of course, it "fixes" the problems-- by turning off all the popups...

But this one went a step further than I'd seen before, it went and hid all her programs... this sent her into a full-blown panic, which led to a phone call to your friendly local Bear...

Hey, I didn't want to get any sleep today anyway...

Jenky · Oct 29, 2011

silverbear;4208373 said:
Yeah, Malwarebytes was the key to finding and rooting out the program... had to do just a liittle more to "unhide" all the programs that it had hidden...

That's what threw me for a loop; I'd seen these kinds of malware that "scan" your computer, then alert you to all kinds of (nonexistent) problems that you have, which they can fix if you'll just buy their program...

Then, of course, it "fixes" the problems-- by turning off all the popups...

But this one went a step further than I'd seen before, it went and hid all her programs... this sent her into a full-blown panic, which led to a phone call to your friendly local Bear...

Hey, I didn't want to get any sleep today anyway...

Well that's good to hear. Good work.

silverbear · Oct 30, 2011

Jenky;4209208 said:
Well that's good to hear. Good work.

Couldn't have done it without you, man...

That's yet another reason I love this board, you can get advice on a whole range of issues, if you'll just ask... and some of the advice actually turns out to be helpful...

Then there's the advice that Yeag shovels out...

Malware question

silverbear

Semi-Official Loose Cannon

Jenky

Well-Known Member

Jenky

Well-Known Member

YosemiteSam

Unfriendly and Aloof!

silverbear

Semi-Official Loose Cannon

Jenky

Well-Known Member

silverbear

Semi-Official Loose Cannon

tupperware

A Plastic Container

Yeagermeister

Well-Known Member

YosemiteSam

Unfriendly and Aloof!

Yeagermeister

Well-Known Member

Bonecrusher#31

Active Member

silverbear

Semi-Official Loose Cannon

silverbear

Semi-Official Loose Cannon

silverbear

Semi-Official Loose Cannon

silverbear

Semi-Official Loose Cannon

Jenky

Well-Known Member

silverbear

Semi-Official Loose Cannon