Trojan hid my files

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ibsen3, May 23, 2011.

  1. Ibsen3

    Ibsen3 Private First Class

    Hello,

    I had a Trojan on my Dell desktop (it's a new Inspiron, only four months old) and it appeared to be severe corruption of my hard drive. Having spoken with Dell, they offered me the frankly outrageous price of well over £100 to fix it which is something I simply cannot afford. However, I did discover that it was a Trojan and not a corruption as reported by the fake Trojan software that masqueraded as a Windows 7 system operation.

    My first desire was to salvage my files so I figured I couldn't go far wrong with a system restore which partially solved matters. I could then view my files and use them by using the 'show hidden files' option.

    It was only then that I realised I needed help as the files were visible but faded. I'm assuming that my PC now automatically recognises things like 'docx' files as files that should be hidden due to the effects of the trojan.

    This was when I ran through the procedure for malware removal recommended on this forum (I have attached the logs). However, I have also noticed that, at various points during my use of the PC, a little window keeps cropping up called 'Windows Installer' which never appeared before. Likewise, my paid-for McAfee AV is set to 'off' and refuses to stay back on for more than a few seconds.

    At the moment, I am using a Macbook to access the internet as I don't like the thought of accessing anything with this new (and very valuable to me) PC if it should happen to make things worse.

    Please advise as I'm having to hand back this borrowed Macbook very shortly.

    Thank you very much (as ever) for the work you do at these forums,

    - Steve
     

    Attached Files:

    Ibsen3, May 23, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try to download this app. ( you may need to download to a different computer and transfer via thumb or CD):
    Trend Micro Fake AV Tool.

    Then:
    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.

    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands ( in bold black ) at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.

    cd \ <-- this changes to the root folder and the prompt should change to C:\>
    attrib -h -s * /S /D <-- this will try to remove the hidden and system attributes on all files and folder. Note there are spaces before -h, before -s, before * and before each /
    attrib -h -s *.* /S /D <-- a redundant command match possibly other file names and folders due to using *.*

    Let me know if this helps.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, May 23, 2011
    #2
  3. Ibsen3

    Ibsen3 Private First Class

    Thanks TimW,

    I ran the AV tool and restarted. Strangely, my desktop picture vanished. It still seems to be present in 'my documents' though.

    I then tried the command prompt and got a message as follows:

    '-h' is not recognised as an internal or external command, operable program or batch file.

    I'm unsure how to proceed at this point.
     
    Ibsen3, May 23, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The problem is that I am not finding any malware on your system. Let me have you do this:
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
smtmp*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    TimW, May 23, 2011
    #4
  5. Ibsen3

    Ibsen3 Private First Class

    Thanks Tim,

    Here are the results. I just noticed, however, that there doesn't appear to have been any files found...
     

    Attached Files:

    Ibsen3, May 23, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am a bit lost as to what to try next. I guess we need to have you do an online scan:
    eSet Online Scan.
     
    TimW, May 23, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Open up Malware Bytes > let it update (use the update tab) and then re-run it. It should take care of the hidden desktop icons/start menu items etc. Attach the log for us to see.
     
    Kestrel13!, May 23, 2011
    #7
  8. Ibsen3

    Ibsen3 Private First Class

    eSet Scan took over two hours to complete (annoying considering I started at midnight) so I'm only able to post the report up now from work and haven't had the opportunity to follow Kestrel13!'s advice yet.

    Anyway, ESet did appear to find the trojan (see attached) but I won't be able to take any further steps until I'm back home tonight.

    Thanks for the continued support!
     

    Attached Files:

    Ibsen3, May 24, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also as well as re running MBAM run the C:\MGTools\FixAttr.bat and see if that helps to unhide things. Let us know.
     
    Kestrel13!, May 24, 2011
    #9
  10. Ibsen3

    Ibsen3 Private First Class

    Ooh, thanks Kestrel13! That seems to have returned the icons back to normal. Do you think I can now return my settings back to 'hide folders'?

    Anyway, just to be thorough, I did a scan with Malware Bytes following an update as suggested and the log is attached. This did not appear to do anything although it did seem to isolate svchost.exe as corrupted (the only file).

    However, using FixAttr.bat appeared to solve the issue with the shaded-out items.

    Further details: my copy of McAfee that was switched off appears to have been switched on again. This appeared to have happened as soon as I booted up this evening, probably before the MB scan and certainly before the FixAttr.bat was used.

    The only issue now is that, for some reason, Mozilla Firefox won't run. Would you recommend uninstalling and reinstalling it?

    Finally, do you think that the trojan is now neutralised following the online scan?

    Thanks yet again for your support, guys!;)
     

    Attached Files:

    Ibsen3, May 24, 2011
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do this:

    We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
    C:\Program Files\Mozilla Firefox

    where UserAccount is the actual user account name being used.

    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).


    Is FireFox working okay now?
     
    TimW, May 24, 2011
    #11
  12. Ibsen3

    Ibsen3 Private First Class

    I'm a little confused. I can't open Firefox to begin with so I can't do the first steps. I click on the icon in three different areas but it doesn't show up onscreen.
     
    Ibsen3, May 24, 2011
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, that would pose a problem.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
    C:\Program Files\Mozilla Firefox

    where UserAccount is the actual user account name being used.

    Now download and save the installer for the current version of FireFox. Get it here: Mozilla FireFox
     
    TimW, May 24, 2011
    #13
  14. Ibsen3

    Ibsen3 Private First Class

    I uninstalled Firefox but, like a number of other folders in that directory, the location:

    "C:\Documents and Settings is not accessible"

    The icon has a little padlock on it including other folders such as Config.Msi, MSOCache and System Recovery.

    Other weird stuff: The following folders are still shaded out and inaccessible from 'My Documents': My Music, My Pictures and My Videos. However, I can still access these via the little navigation window on the left-hand side of my Windows 7 browser.

    It looks like there are remnants of this thing still there...

    This 'Windows Installer' keeps loading upon startup along with some other systemlog text file (I mistakenly just deleted it when it popped up).

    Thanks again!
     
    Ibsen3, May 25, 2011
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try creating a new user account ( with Admin. privileges ) and tell me if that works.
     
    TimW, May 25, 2011
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also on the affected account, run this:


    Please download RogueKiller.exe and save it to your desktop.
    • Now quit all running programs.
    • Double click RogueKiller.exe to run it.
    • When prompted, type 1 and hit Enter.
    • A RKreport.txt should appear on your desktop.
    • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
    • Please post the contents of the RKreport.txt in your next Reply.
     
    Kestrel13!, May 25, 2011
    #16
  17. Ibsen3

    Ibsen3 Private First Class

    @ TimW - I created a new user account but still could not access 'Documents and Settings' as no such folder appeared under the C drive. I could access 'C:\Program Files\Mozilla Firefox' but not the other one.

    @ Kestrel13! - I attached the RK report here. Cheers!
     

    Attached Files:

    Ibsen3, May 26, 2011
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, May 26, 2011
    #18
  19. Ibsen3

    Ibsen3 Private First Class

    Okay, done but now the C:\Program Files\Mozilla Firefox
    folder won't delete. I get the following message:

    You require permission from Administrators to make changes to this folder.

    I looked at the Properties Window under Security and there were Group or User names that don't appear to be named in folders such as 'Documents and Settings' like 'CREATOR OWNER' AND 'Trusted Installer'. Should they be there? Both of them appear to have permissions status as 'special'. Even though I have administrator access, it's not allowing me to delete the file.

    Any ideas?
     
    Ibsen3, May 26, 2011
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you have to add your user account as well as the Administrator account. You should also add the "everyone" account.
     
    TimW, May 26, 2011
    #20
  21. Ibsen3

    Ibsen3 Private First Class

    I'm a bit puzzled. I created an 'everyone' account to add to what appeared to be two of my own accounts, one of them labelled 'administrator'. It didn't seem to make much difference. I still can't delete the file.

    This thing is a nightmare...and God! Do I hate Internet Explorer. It's so badly designed.
     
    Ibsen3, May 26, 2011
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    When you get this message, do you have a tab for "continue"?
     
    TimW, May 26, 2011
    #22
  23. Ibsen3

    Ibsen3 Private First Class

    No, just 'Try Again' and 'Cancel'.
     
    Ibsen3, May 27, 2011
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Folder::
C:\Program Files\Mozilla Firefox
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now tell me what issues you are still having.
     
    TimW, May 27, 2011
    #24
  25. Ibsen3

    Ibsen3 Private First Class

    Hi TimW,

    I did as you said and have attached the txt file. Combofix restarted my machine and things began as they have done for a while such as the 'Windows Installer' window mysteriously appearing and two copies of the 'desktop.ini' file booting up on startup.

    However, this time I noticed that the bar along the top that you normally see in Windows 7 has gone (tbh, I very rarely use it so it's not a major loss). This includes immediate access to videos, the internet and the recycle bin etc. along the top of the screen.

    Also, I'm still being refused when I try to delete the MozillaFirefox folder and, from my documents, I still cannot access 'my videos' and a few others from inside the my documents folder (and yet I can access them from the side).

    One thing that only just happened last night was that some of the icons on my desktop disappeared and yet I can still access the programs (it may just be a case of adding them again by creating them).

    All of the above are pretty minor issues although I remain very keen to get Firefox back up and running. Is it looking clean yet, do you think?
     

    Attached Files:

    Ibsen3, May 27, 2011
    #25
  26. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just to be certain, run THIS.
     
    TimW, May 27, 2011
    #26
  27. Ibsen3

    Ibsen3 Private First Class

    Thanks again. It looks like all it found was just cookies. Do you think I'd be fine to reinstall Firefox now?
     
    Ibsen3, May 27, 2011
    #27
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you should be fine to reinstall FF. Let me know what issues you have afterwards.
     
    TimW, May 27, 2011
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just an FYI. In Windows 7 and Vista, you are not supposed to access the Documents and Settings folder. It is supposed to be locked. The user account info is now under the C:\Users folder.
     
    chaslang, May 27, 2011
    #29
  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Thanks Chas, I thought that was the case, but gave him the link to unlock it if he wanted to. ;)
     
    TimW, May 27, 2011
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but I would not recommend doing that since it changes permissions on a system folder and this could allow malware to do things you don't want. This folder is supposed to be protected and should stay protected. ;)
     
    chaslang, May 27, 2011
    #31

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds