Malware made files Hidden & Read Only

DaveInOhio · May 9, 2011

Dear MajorGeeks,

Thanks in advance for your assistance.

After a malware attack, I recovered basic operation by use of MBAM and then doing a System Restore in safe mode. However, my files all seem to be Read Only and Hidden. I removed Read Only through properties, applying it to all items. I then came here to MajorGeeks.

I ran all of the procedures in READ & RUN ME FIRST, and I've attached four log files: ComboFix.txt, MBAMLog.txt, MGLogs.zip, and SASLog.log.

Root Repeal had an error on startup of "FOPS Device Control Error Code 0xc0000024". When I then tried to do a Scan on the Files tab, I got the error "Could not initialize drivers". I saved the error message details and can upload them if you need.

SAS and MBAM ran without detecting anything, because I had previously run them and removed the malware with names like FakeAlert, FakeAV, Trojan.Agent, and Trojan.Dropper.

ComboFix and MBAM appear to have run correctly, but I'm not qualified to know for sure.

I would appreciate your help to remove all traces of the malware.

Also, I would appreciate your confirmation of a suggestion I saw in another MajorGeek thread to unhide my files by:

- click start
- type run and press enter
- type cmd and press enter
- type attrib -s -h -r c:/*.* /s /d and press enter

Thanks,

Dave

DaveInOhio · May 10, 2011

Attached log files.

Kestrel13! · May 10, 2011

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Folder::
C:\ProgramData\bAm06511gFnAi06511
File::
C:\ProgramData\31710968
C:\ProgramData\31973112
C:\ProgramData\~31710968
C:\ProgramData\~31710968r
C:\ProgramData\~31973112
C:\ProgramData\~31973112r
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Describe to me how things are running now.

DaveInOhio · May 10, 2011

ComboFix with the script and MGTools seemed to run naturally. Logs are attached.

It seems that everything continues to run as it did before, which is to say properly. There are still ReadOnly files, but I do not think that any files are newly set to ReadOnly.

DaveInOhio · May 10, 2011

Further update: It seems that files are still being changed to Read Only and/or when I attempt to use the Properties dialog to remove the ReadOnly attribute, it remains ReadOnly.

Kestrel13! · May 11, 2011

You can right click on the folder and select Properties and then change the Hidden attribute. Make sure you apply this to all subfolders too when asked. You may have many folders ( if not all ) that you need to do this to.

Also something else that may help could be doing the below.

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

Right click the Command Prompt entry and select Run As Administrator.

It is critical that you run it this way.

If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.

Enter the below commands ( in bold black ) at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.

cd \ <-- this changes to the root folder and the prompt should change to C:\>
attrib -h -s * /S /D <-- this will try to remove the hidden and system attributes on all files and folder. Note there are spaces before -h, before -s, before * and before each /
attrib -h -s *.* /S /D <-- a redundant command match possibly other file names and folders due to using *.*

Let me know if this helps.

Log in or Sign up

Malware made files Hidden & Read Only

DaveInOhio Private E-2

DaveInOhio Private E-2

Attached Files:

ComboFix.txt

MBAMLog.txt

MGlogs.zip

SASLog.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DaveInOhio Private E-2

Attached Files:

ComboFix (2).txt

MGlogs (2).zip

DaveInOhio Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Log in or Sign up

Malware made files Hidden & Read Only

DaveInOhio Private E-2

DaveInOhio Private E-2

Attached Files:

ComboFix.txt

MBAMLog.txt

MGlogs.zip

SASLog.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DaveInOhio Private E-2

Attached Files:

ComboFix (2).txt

MGlogs (2).zip

DaveInOhio Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Useful Searches