Possible Duplicate:
What to do if my computer is infected by a virus or a malware?

I have been hit by an absolutely impossible new virus. Only in the past 3 months or so the internet has become covered in this aggressive new virus. My system has been hit 5 times in only one month! Its been expensive since Microsoft no longer provide original disks with laptop purchase.

For many years I have removed occasional viruses that infect my computer. But these incidents have been fairly rare. And if things get difficult you resolve the issue with a complete reinstall. But this new virus has been the most difficult I have ever come across and even reinstall has not worked [non-disk reinstall].

Scans discoevered Mazbet, APPL.nircmd - but I think these are aliases the virus uses.

None, NONE, of the virus software can detect and remove it. I have so far tried Norton, MacAfee, Kaspersky, AVG, Combofix, and more and nothing works. The virus even remain active in safe boot. And on reinstall it STILL stays on. MS doesn't provide original disks anymore. New laptops comes with partitioned drives with boot feature - but with this virus its impossible to do a complete reinstall without disks.

The virus has now become so bad it has transferred itself to my external drive and my partition drive. I can identify it by the locked System Volume Information folders it creates in every drive and the desktop.ini that starts to appear in almost all main folders. Gradually over the span of several days it starts to work by locking you out of more and more system folders, and then causing massive problems.


The way this virus infects the computer is from images on google. I got it when I was looking at a picture in a Google search and clicked to enlarge it. Immediately I was given a message a "virus-scan" was being done on my system. The webaddresses where this virus originates from usually end with a cc or cn. However, this message is fake and there is no way for you to stop this 'scan' [download]. Its done automatically and it goes fast. It doesn't give an option for you to close out. You have to immediately shut down your computer before it manages to install itself because you can't stop it [I stopped a friends computer from the same infection by shutting it off].

After it infects your system, it either copies or hijacks a new System Volume Information folder (locked). This creates a $RECYCLE.BIN folder with desktop.ini files. Once it is well infected you get messages on shut down: it says your windows updates are being optimized. This takes forever. Its not; its the virus and you need to force a shut down even when it looks like it is already on the way of shutting down or it hijacks even more system drives. On restart it again gives a similar message that it is initializing your windows updates. These are fake windows messages.

The desktop.ini files act like a hydra: everytime you delete any of these, they reappear. The files it creates will carry different dates and not necessary the current dates. One had a date going back to 2007. So doing a restore to another date doesn't help. The longer the virus remain untouched the more damage it starts to do. Eventually it will cause constant problems with your system and begin to hide folders and the recycle bin for you - and eventually, crash your entire drive. But this can take days. It works gradually.

All I know is that I tried to reinstall a new system five times with the last attack I had and still had problems with this virus.


  • 4
    Install an OS that it can't handle. Commented Jul 8, 2011 at 9:04
  • Ignacio: that doesn't solve removing it from external drives where all my files are in.
    – Ben
    Commented Jul 8, 2011 at 9:16
  • 4
    Come on, it's easy to suggest using Linux. But the real problem is a different one, namely removing the virus.
    – slhck
    Commented Jul 8, 2011 at 9:20
  • Anyone even know the name of this virus?
    – Ben
    Commented Jul 8, 2011 at 9:49
  • 2
    there is so much fail in this question ;-/ -- but i like it. it made my day.
    – Sirex
    Commented Jul 8, 2011 at 15:51

5 Answers 5


I'm not sure what you're describing is the behavior of malware after you already scanned for items. I mean, the desktop.ini file appears whenever you have a custom view of a folder in Explorer; you play with settings, Explorer is going to create them in that folder. It's hidden unless you're looking for hidden folders.

The system volume information folder? That's protected because...well, it's system volume information. It's going to appear on each volume. See http://support.microsoft.com/kb/309531.

You're already scanning with multiple scanners (hopefully they're not all installed at the same time...no wonder your computer would act strange if they were. Antiviruses generally don't play well if there are multiple ones installed; you should pick one and use that one. Heck, some of them don't play well if they're the only ones installed. I can't count the number of times someone had me look at an issue and it was because Symantec or whatever brand they installed was screwing with their email as a proxy or interfering with file access to a non-infected file...) so you should have detected anything out there that's fairly new as long as you're updating the signatures. Generally I have an antivirus scan plus Spybot plus Malwarebytes or Ad-Aware for malware checks. If I want a second opinion I scan a computer with housecall.antivirus.com for another antivirus/malware check straight from the web browser.

If I'm really certain something is screwy, I boot from a boot disk and check with a bootable antivirus CD. There is no way that a virus can remain resident in memory and deceive a scanner if you boot from a boot CD; the only way it wouldn't know is if the signatures don't include something in the library to detect it.

As for your "no discs" issue, that's why Windows includes backup software now. Actually, it's had it for awhile. Make a system backup from a known-good state. Alternatively there is software out there that will image your drive so you can create a disk image from which to restore. Make a backup of your system. Restore it if need be. Periodically make new backups.

Next...what are you running as? You didn't say (that I saw) what OS you're running. Windows XP? 7? If you're running a newer version of Windows, are you running as administrator? Malware can only infect files you have access to. If you're running as administrator, it'll be able to easily infect system files. If you're running as an unprivileged user, executables and such can only copy to your profile and directories you have access to. So for something to completely wreak havoc with your system you need to be running as a privileged user. Bad idea.

What exactly is your system doing that you're thinking it's infected? Just the presence of these hidden files? Odd network traffic? Have you looked at your network connections to see what your system is doing that's unusual, at the router? Have you used tools like Process Explorer and Procmon (part of the Sysinternals suite; googles will tell you more) to identify what your system is doing? If it's just discovering system folders and Explorer settings files, I am leery of the idea that you're actually infected.

If you're truly worried about this then there was the suggestion that you install Linux. Which is free. But it has a learning curve. Bonus: you'll be immune to Winx viruses. Drawback: if you depend on particular Windows software, it probably won't run. You'll have a steep learning curve and probably will have to learn a bit more about how your computer works.

Alternatively you can try something like Deep Freeze to "freeze" your computer's state once it's clean, but you'll also have to actually maintain it with thaw periods for updates and save your data to an external drive.

Alternatively, you can install Linux (or Windows) fresh and then install VirtualBox and do your browsing and work from there. A virtualized Windows session (or whatever OS you install) will act as a sandbox. As long as you keep your system up to date, you can limit damage done by any malware to your virtual system. Again, it's a learning and workflow change to do it, there are some limitations, but for general work if you're really nervous about what can happen sandboxing and monitoring will be a really good way to limit these things.

From your description, though, it really sounds like you're hunting Windows system files that are normal on Windows systems and getting the usual fake scanner notifications from your browser. I'm thinking your system isn't really infected with anything but Windows cruft.

  • When hijack occurs, you can't really shut it off in task manager. Its too fast. So you have to do a forced shut down. I've had firewall etc on but it seems to bypass it. Once it installs, you are blocked access to admin use and system folders. On shut down it gives a maessage that Windows is being updated. After that your recycle bin and system folder is blocked from access and hidden. As it progress windows give error messages, the entire system crashes. Hope this info helps. Sorry can't use Linux. Not compatible. PS: No, I don't run all virus programs simultaneously! Thnx.
    – Ben
    Commented Jul 8, 2011 at 11:20
  • 2
    But what is showing up in task manager to shut down and running too fast? What is the name of the process? Commented Jul 8, 2011 at 11:33
  • What what do you mean it's blocking admin use? Like you can't log in as an administrative user, it's giving you a file or folder is in use or has a permission error (if it has an open file handle it may block certain file access, that's normal)...? Recycle bin folders are hidden. Again, that's normal. Some system folders like the one I gave in my answer are hidden. Because they're system folders. Users aren't supposed to get into them. Commented Jul 8, 2011 at 11:35
  • And what error messages are you getting? You said it gives error messages and crashes. What's in the system log? Perhaps knowing the actual error messages would track down what's happening. Commented Jul 8, 2011 at 11:35
  • 1
    @Ben, seriously, slow down and provide details. It's quite apparent that you have many misconceptions as to how things work (or should work). You may be infected with a virus, but you certainly have not shown any details or evidence thereof.
    – Chris S
    Commented Jul 8, 2011 at 15:08

It sounds like you're probably running into the malware described here: http://cleanbytes.net/google-images-redirecting-to-a-new-virus

From a quick googling, I didn't find anything specific about how to remove it, although http://www.google.com/support/forum/p/Web%20Search/thread?tid=6df7e15519290612&hl=en has a list of malware removal forums which may be able to help.

My main suggestion for avoiding it in the future would be to use Firefox with the NoScript plugin, which will prevent sites from running any type of active content in your browser unless you've whitelisted that specific site. By preventing this attack from running its JavaScript payload, that should prevent it from infecting your system.


I'm laughing.

desktop.ini files are created in any folder you have set view preferences for. System Volume Information folders are be default created on every drive in Windows.

Neither of these symptoms are viral in nature. If someone told you they were viral, they were playing cruel prank on you.

To make this "virus" go away, in a My Computer window, go to Tools -> Folder Options. In the View tab: - Select "Do not show hidden files and folders" - Uncheck "Display the contents of system folders" - Check "Hide protected operating system files (Recommended)"

This will hide the desktop.ini files and the System volume information folders.

The only infection you did describe was a standard fake antivirus malware, which are not usually too difficult to remove.

Download the install Malware Bytes AntiMalware and run it in safemode.

Or, if you have a second computer you can connect your hard drives to as secondary or slave drives, do this and scan them from there. Once the safemode or slaved drive scan is complete, connect the drives to their normal computer or boot into normal mode and run the Malware Bytes full scan again to get any leftovers.

You make several vague references to other system issues you believe are related to this infection. Providing more detail on what these other issues are may clue us in to what sort of real infection you actually have. Just remember. desktop.ini and System Volume Information files and directories are not indicative of a virus at all.


I used this Rescue CD and it helped me out. Hope it will do the same with you. Here are some feature of this you will find on link also.
A comprehensive administration toolkit.
System recovery from virus and spyware infections.
Adaptability for the recovery of both MS Windows and Linux operating systems (FAT32 and NTFS file systems).
Ability to perform a clean boot from a CD or USB stick.


See my post here, go to the EDIT section at the bottom and download the Microsoft Safety Scanner Software to a clean PC, run the software and make the bootable CD or thumbdrive, boot from this on the infected PC and do a Full scan, remove anything it finds.

Not the answer you're looking for? Browse other questions tagged .