Downloader-UA filling up Drive with Porn

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ray K, Aug 21, 2008.

  1. Ray K

    Ray K Private E-2

    I have been removing Malware from a friends computer and found that it had (or still has) a Trojan called Downloader-UA by McAfee. The Trojan has created a hidden folder: C:\documents and settings\[username]\!. That’s right”!”. The hidden folder contains Porn in the form of .avi files. I know that it’s Porn by the filenames. I’ve tried all the “show hidden files” settings in Windows but still can’t see or get into the folder. I let the antivirus software run for several days and Quarantined about 20,000 of these, and deleted them manually by going into the Quarantine folder. McAfee didn’t have the capacity to load them for view. When I finally was able to look at a small sample of them in Quarantine the antivirus software listed all the .avi files under the Trojan name Downloader-UA, and the path was the “!” folder. I had to give up since the owner wanted the computer back for the weekend. There could be tens of thousands more .avi files on the drive and the drive is larger than 100 gig. I think it’s the Parental Guard part of McAfee that is removing them because Symantec just scans them and doesn’t delete them. When I check folder sizes and drive sizes everything looks normal, so Windows must not be detecting the drive size or folder size correctly. My problem is that I can’t get into that folder to delete them manually. I’m not sure why the Trojan is downloading these files onto someone’s hard drive. For use later? Anyway, I thought of trying to get into the “!” Folder using DOS and will try this Monday. This is an XP box. Does anyone have any suggestions? This is really puzzling me, and I’ve been working in IT for 20 years. I know there is software out there that can “Hide, lock and password protect private files and folders from other users”. Sorry that this post is so long, I just wanted to make it clear what’s going on.
     
    Ray K, Aug 21, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.



    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
    chaslang, Aug 22, 2008
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds