What virus renames all images to EXE?

Question

Possible Duplicate:
How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?

I have a virus that renames all jpg file extensions to EXE files and hide the original files at the same folder!! I can see hidden Files with FarManager and I cannot see them in Windows Explorer(even with show hidden files option?!!)

How can I restore it to its original file extension? Do you have any tool to scan the converted file and restore it to its original file extension? What the virus name? how can I remove it manually?

Please try kaspersky or AVG Free, imho they are better than Norton and free. — Natalie Adams, Jun 05 '10 at 23:02
Actually, I'd recommend [Microsoft's Security Essentials](http://www.microsoft.com/en-ca/security_essentials/default.aspx). They made the operating system, I think they know how to make the quickest AV for it. Oh, and don't forget the best part - it's **free**. — Breakthrough, Jul 08 '11 at 01:42
The hidden files probably have a system file attribute set. Enable showing both hidden and system files, and they should appear. — TuxRug, Jul 08 '11 at 05:51
I'd suggest that you find a teenager who can find it, then ask him to find it. — Daniel R Hicks, May 17 '12 at 11:34
@Breakthrough: they made the OS and many bugs. I suggest AVG or Avira. 2 days ago my friend also have the same problem but for folders. Using Avira and uncheck hide files and hide system files solved the problem. — Nam Phung, Jun 24 '12 at 15:47
I'd call this duplicate of the linked question, too. Unless the question is getting more specific (and written with less exclamation and question marks) the answers will basically be the same. — Baarn, Jun 24 '12 at 16:37
@TuxRug, there is no option to show system-files, the option you are thinking of shows files in the *system directory* (i.e., `C:\Windows\*`). — Synetech, Jul 26 '12 at 02:25
@Synetech [Yes there is.](http://www.itechtalk.com/thread3892.html) You can set or unset the flag with the `attrib` command line tool. Files with the `system` flag do not have to be in any particular directory. — Bob, Jan 01 '13 at 08:42
@DragonLord - I don't think this is a dupe - the OP is not (totally) about what to do if/when infected, but what the virus is and how to undo the work. — Dave, Jan 01 '13 at 09:32
@user29373 Whilst an antivirus + MBAM should eradicate majority of malware, Hitman Pro whilst not free is an excellent on demand scanner - which you can trial http://www.surfright.nl/en/home/ — Simon, Jan 01 '13 at 11:44
@Bob, well duh. But that is not what was being discussed. He said to *enable viewing system files*, as in the options in *Folder Options* in Explorer, not as in *modifying* file attributes. — Synetech, Jan 01 '13 at 16:39
@DaveRook I believe the other question addresses `how to undo the work` (well, except maybe malware-specific modifications.. but see the second point). As for what it is, well, most of the scanning methods in the other question will aid in identification. Anything more is likely too localised for Super User (also see [Guessing Game](http://blog.stackoverflow.com/2012/02/lets-play-the-guessing-game/)) and would be better suited for a forum, such as [Bleeping Computer](http://www.bleepingcomputer.com/forums/forum103.html). — Bob, Jan 01 '13 at 16:49
@Synetech The link I provided at the start of my comment demonstrates the existence of this option, which you denied. This option controls the visibility of files with the `system` flag (nothing to do with the directory they are in), which is why I continued talking about the flag. — Bob, Jan 01 '13 at 16:53
`This option controls the visibility of files with the system flag (nothing to do with the directory they are in)` Did you actually test it to confirm what you are saying, because *I did*. — Synetech, Jan 01 '13 at 19:08

score 0 · Answer 1 · edited Aug 26 '10 at 08:20

0

What AV program are you running?
Have you tried running a full system scan with up to date definitions?
The only reference I can find to the problem that you are having is in an archived Forum from 2001: http://forums.devx.com/showthread.php?t=34744
Without knowing the name of the virus it would be very hard to give a solution to removing it manually.

edited Aug 26 '10 at 08:20

Bobby

8,944
3
37
45

answered Feb 25 '10 at 10:05

Joe Taylor

13,347
7
49
70

I got Norton Corporation with the latest Virus Definition. – user29373 Feb 25 '10 at 10:09
Have you tried running a full system scan? If that shows up nothing then try running an online scan, i know Kaspersky have a very good online agent. You may have to turn Norton off, i'd read the users guide on Kasperskys Site: http://support.kaspersky.com/viruses – Joe Taylor Feb 25 '10 at 13:01
In addition to Joe, run a full system scan with Malwarebytes' Anti Malware, you can remove it afterwards... Kaspersky + MBAM usually does the trick with me! ;) http://www.malwarebytes.org/mbam.php – Pylsa Jul 23 '10 at 11:49
@user29373 Here are other newer variants http://virus-com.com/viruscom/viruscom_74397.html . I still dont get the question, Are the files being renamed, or is the name of other files being used to create the "copies" of the virus? You said " they still exist hidden" and "how do I turn them back to original extention" ?? First (as always) you must find and stop the thing doing it. – Psycogeek Jan 13 '12 at 13:34
@Psycogeek -- As I read it, JPG files are being replaced with files with the EXE extension. Presumably this is because a virus has installed malware in the files and wants them to be executed when clicked on (assuming the user doesn't see/care about extensions). A crude but modestly effective strategy, if the virus writer doesn't mind nearly immediate detection. – Daniel R Hicks Aug 26 '12 at 22:40

score 0 · Answer 2 · answered Jan 01 '13 at 09:35

I think you'll need to get a decent AV (which is open to debate what is best, but for my money I go Kaspersky and never use a free one) and clear the infection.

As for restoring, I think a system restore is the only option here. There is no way for the OS to tell what file type used to be what file type.

If the restore fails, the only other thing you could try is changing all .exe to .jpg, testing them, and if they work, keep them, if not, return to .exe but I would be amazed if this software exists as is so I guess it would be a manual task (search in Windows for *.exe) and starting renaming!

What virus renames all images to EXE?

2 Answers2