Password Protected files downloaded to my hard drive.

Hi, again. I went back to square one, and first followed the house cleaning directions under "Fixing Google Redirection", and have had no problem with that since.

I do not have a problem with my pc being slow, and have lots of memory, and less than 10% being used (running W7).

I only have one anti-virus and one firewall running (also switched to your recommended Privatefirewall, and uninstalled my previous one).

Step 4, done.

CCleaner report attached.
RK report attached.
Malwarebytes report attached.
TDS Killer report attached.
Hitman Pro report attached.

I disabled my UAC before running the reports.

Here is the problem I am having, and I can tell you exactly when it started.

I went to Open Office (it was the correct site), and hit dowload, and permission button. I saw my toolbar flash to a different site, and d/l started (superfast).

I ran a scan with my free Avast! ... no threats found, but there were now **Password Protected** files on my pc - C: drive - that the antivirus could not read (even using boot scan).

So, after I ran all the programs above (hope I got everything this time *smile*) , I still have these inaccessible files on my C: drive. No one else has ever used my PC.

Some of the files have what appears to be java script extensions ".js" ... some look very suspicious. I can't highlight or copy the file string, right click does nothing, and they can't be isolated. Can't generate a report, nor isolate them.

Here's one of the (password protected) file names, I copied it down manually:

C:\USERS\nana\Downloads\install_flashplayer11x32_MSP_aih.exe|>_host\host.js

Oh, and I hadn't been able to load my Java updates for a couple of weeks, and it was actually successful this evening (that may be irrelevant, but trying to throw in all I can remember).

There's quite a few of these files, and wondering if they are building and hiding something, and some of them contain words like "Bundle Loader".


Thanks so much for your help.

 

Welcome to MajorGeeks, jennybelle

The log that you should have attached from RogueKiller should be on your desktop named: RKReport[1].txt
Please attach this now.

I also need the log archive from running MGtools.exe
It can be found here: C:\MGlogs.zip
Just attach the entire MGlogs.zip to your next message.

 

Okay! Thanks, thisisu.

I think I forgot to disable my UAC the first time I ran Rogue Killer (didn't read ALL the instructions first), but I kept all the reports.

 

I only see minor issues from your logs.

1) You ran an outdated version of TDSSKiller. You can update it and rescan but I doubt anything will be found. Your logs appear to be fine.

2) Uninstall the outdated Java: Java 7 Update 7
Get the newest one from here: Sun Java Runtime Environment 7 Update 10

Earlier you mentioned this file name existed

1) This can't be the full file name as there are illegal characters in the name (< | \ )

C:\USERS\nana\Downloads\install_flashplayer11x32_MSP_aih.exe
Probably a flash player install stub file. Nothing to worry about.
You can delete it if you want to.

The host.js file you should be able to open with NotePad. JS stands for JavaScript

Where is this file located though? In the Downloads folder as well?

Edit: And where are the password protected files / archives you mentioned earlier? I do not see any in your logs.

 

Hi, thanks. That sounds good.

I uninstalled the old Java, and installed the update re your instructions.

My download file folder has been cleared.

When I ran my daily scan this morning (with Avast!), it says 'some files could not be scanned' (these are the files that appeared after my toolbar was highjacked a while back, and they seem to be multiplying).

The log report says for each file, under the Status column: "Error: Archive is password protected". It appears that they are on my C drive. "nana" is my user name, which I use when online; I have a separate administrator account.

I can't click on these files and delete them, but will type a few while looking at them ... most recent file first ...

C:\Users\nana\Downloads\install_flashplayer11x32_mssa_aih.exe|>window.config.xml

C:\Users\nana\Downloads\install_flashplayer11x32_mssa_aih.exe|>openx.html

C:\Users\nana\Downloads\install_flashplayer11x32_mssa_aih.exe|>logo.ico

C:\Users\nana\Downloads\install_flashplayer11x32_mssa_aih.exe|>launcher.bundle


There are approximately 130 files in this log report. All with the same beginning, but after the |, they are different .. I can't copy them, generate a report, or move them to the vault. That's what makes me nervous.

Are they perhaps, just junk files?

There are no dates on these files, but they only started coming up in the scan the day after I had the incident while trying to download Open Office.

Thanks again!

 

Without being able to see the log from Avast!, I can't try to diagnose what it is trying to convey. Perhaps you can take a screenshot of what you are concerned about and I'll try.

 

Yes, that's what I was thinking, but wasn't sure how to post a screen shot.

Now, let's see if it worked!

Okay, I saved it from my Paint Accessory, and it's attached as a .png file.

The screen shot does not show the complete file names, which I can only read while hovering my mouse over them individually. I tried a screen shot while hovering over a file, but it didn't 'take'.

What you are seeing is the first few characters (C:\Users\nana\Downloads) then (...) then the (|>) and characters following ...

Each file is the same, except for the information after the |> (illegal characters).

Thanks!

 

Updated your screenshot (see below)
Follow these instructions so we can see the full file names.

 

Okay, done! I apologize for taking so long; was ill and not online.

I attached the screen shot from this morning's scan log, adjusted as per your instructions. ack! that was so simple, and another thing learned along the way.

Thanks.

 

Sorry for the delayed response as well.

This screenshot is fine. These files are password protected by Adobe as this is their installer stub for "Flash Player".

The same happens to me, if I download the installer and try to extract its contents, it asks me for a password. See the attached picture.

Basically, Adobe probably doesn't want malware coders analyzing their code as Flash Player is exploited very often nowadays.

 

That is great! Thanks for all your assistance.

It's a great feeling to know that y'all are helping us out, and it means a lot.

Take care, now!

 

My pleasure, jennybelle.

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe