Major Laptop Problem

[Cail]

So overnight something happened to my laptop. I dont know what. I was browsing BG this morning, with my ffxi, vent, msn, and winamp opened, as well as multiple IE pages of various BG posts. Then my comptuer started running like shit, so i ALT+CTRL+DEL to try to end some processes, but it says my administrator has disabled that. I'm the only person who uses this laptop or has access to it!

So I restart my computer, and when i do, my wallpaper is now black. A program also pops up, called WindowsRecovery, which I've never used, or seen before. (or remember downloading ever). Now I'm noticing all my icons on my desktop are gone as well. Various folders, programs, etc. This WindowsRecory also wont minimize or close.

I'm freaking out because I'm hoping I all of a sudden didnt just lose a lot of information. Of my usual programs that i run, vent, ffxi(windower), msn, winamp, some folders etc., only vent/ffxi/msn are showing up. As i'm typign this, a window just popped up that reads:

Critical hard disk drive eror has been detected!

Windows Recovery detected a bad sector on your hard disk drive.
This error may cause the following problems:
-Data corruption and loss
-Hard drive inaccessibility
-System erros and failures

--It is strongly recommended that you fix the detected problem immediately. Please run a full system scan and fix errors.

Then i can choose Fix Problem or Cancel.

PLEASE HELP!!!!

[Mafai]

Its a virus, nothing is wrong with your hardware.

Download this and run the scan. If this will not install post back with the error and I'll tell you how to make it install.

https://store.malwarebytes.org/342/c...mbam-setup.exe

[Cail]

sweet maf, thanks...i figured it was a virus, but still....dl'ing it now

[Cail]

A windows delayed Write Filed popped up when i updated the malware, saying:

Windows was unable to save all the date for the file //System32//496A8300. The dada has been lost. This error may be caused by a failure of your computer hardware.

However, the scan is still running. I assume thats part of the virus

[Cail]

Just finished the quick scan, had 8 problems. 3 Trojan.Agent, 2 Trojan.FakeAlert, 3 PUM.Hijacks. I removed them all and am restarting per the Malware program. This is the report:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6406

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/20/2011 9:58:36 AM
mbam-log-2011-04-20 (09-58-36).txt

Scan type: Quick scan
Objects scanned: 174052
Time elapsed: 17 minute(s), 30 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\documents and settings\all users\application data\fpojeykxwu.exe (Trojan.Agent) -> 2220 -> Unloaded process successfully.
c:\documents and settings\all users\application data\20242228.exe (Trojan.FakeAlert) -> 3816 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\FpoJEykxWu (Trojan.Agent) -> Value: FpoJEykxWu -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallPap er (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\fpojeykxwu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\20242228.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully

.

[Cail]

Well, the Windows recovery thing is gone, however my background is still black and all my desktop files etc are still gone. I am able to access my ALT+CRL+DEL task manager again though

Edit: My external hard drive has been wiped clean too =/

Edit2: Unless theres a way to get them back that i dont know about

[Cail]

In my processes, all my programs that usuall run at the start are running, but my taskbar is empty, i open my Hard Drive and external hard drive and it says theyre empty as well

Edit: Theres a bunch of Hiddens and shit, but i dont know how to go in and fix everythign so its all unhidden

Edit2: Figured out how to make the hidden files show, I just dotn know how to make it so theyre not permanently Hidden

[Mafai]

Right click on your external and check the disk usage (free vs used space). Is it showing it as empty? Maybe it just made the files hidden or something.

I'm not familiar with that virus in particular, but just change your wallpaper back to whatever it was. The virus typically changes your background to some scary message and locks it. Malwarebytes unlocked the task manager and wallpaper settings according to your log.

[Mafai]

Oh I found it... Check this out. Download this to desktop and run it.

http://download.bleepingcomputer.com/grinler/unhide.exe

edit: you might need to reboot after that finishes running

[Cail]

yea, everything was hidden (well it still is) but i have it showing (still hidden tho) About to run that

Wiped my bookmarked pages, and everthing in my Start menu too lol

[Mafai]

yea, everything was hidden (well it still is) but i have it showing (still hidden tho) About to run that

Wiped my bookmarked pages, and everthing in my Start menu too lol

I'm not sure how hidden files effect the start menu/bookmarks. They might reappear after you run that / reboot.

[Cail]

yea its running now, gonna take some time it seems

[xerodok]

Post your results.

[Mafai]

yea its running now, gonna take some time it seems

yea, that program is going in and changing the flag on each file to normal instead of hidden... so it might be a bit. Also I'm not sure if it goes into any drive besides C:\ to do this, so I'd be curious if it changes over the files on your external.

[Cail]

didnt have to reboot, and that program returned all my bookmarks/start menu junk. Thanks a lot maf

[Cail]

just reread your posts that i missed, yea it gave me the option of doing it to me E: drive (external) and theyre all unhidden. For now, seems like everything is good. Desktop icons all back, fixed my wallpaper from just black, start menu is back, and bookmarks all back. Contents of my C: and E: drives are all showing as well

[Eanae]

as well as multiple IE pages of various BG posts.

Use Firefox or Chrome after you fix this since that was the cause of your problem to begin with...

[LinktheDeme]

With all the damage it's done at this point wouldn't it just be safest to format the computer? Rather than trying to locate and get rid of the virus?

[Bloodfire]

With all the damage it's done at this point wouldn't it just be safest to format the computer? Rather than trying to locate and get rid of the virus?

I agree, if you get to the point where your about to lose your mind cause your computer took a shit on you, consider backing up what you can and do the standard wipe/reinstall. Ensure you regularly back data up and you won't be as worried next time.

Also, based off your OP, It looks as if you have a rogue program. It doesn't do damage to your computer per say.. though it can progressively restrict access to to various areas on your computer, especially the Run command and C: drive, to prevent you from trying to stop it. It holds your PC hostage till you click the button to clean it, but then your'e met with the "Buy to clean your PC now!" type bullshit.

Get Combofix and run it in safe mode then malwarebytes in safe mode, then run an AV software in normal mode. That will generally clear it up your primary issue, but if there is a rootkit in there anywhere you are better off doing a wipe/reinstall. I personally do a wipe/reinstall no matter how small the infection.