Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Usb Virus- Show Hidden Files Option Not Working


  • This topic is locked This topic is locked
8 replies to this topic

#1 sdas57

sdas57

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:12:48 PM

Posted 28 May 2008 - 01:33 PM

Earlier too I had similar problem It was due to w32sillydc problem. I got it solved with this forum's help at
W32.sillydc Infection, Infection to usb pen drive and then to desktop- unable to remove

After that I loaded spybot search & destroy free, windows defender free , AVG 7.5 free , Spywareblaster free , Superantispyware, a2 free version, I also have latest yahoo tool bar spyware scanning tool, and even clamwin.

Ok. Still I was infected by virus through a USB pen drive. But this time I do not why and how. It seems Spybot S&D did not work? I rbr that I ddenied changes to my registry and told it to remember my decision also as that message was repeatedly coming fast and even though once I told it to remember the box kept coming and vanishing near m system tray. It was disturbing me a lot. So i rebooted.. and maybe then in that rebooting time or some gap when spybot was not functioning it got installed??

This is question-1 . What do you think the reason for the infection was? :inlove:

Ok before you reply to above let me tell you that all the signs of infection I got was that my hidden files and folders got hidden and could not be restored using tools options feature!

Yet no amount of scanning and even online scan through panda and trendmicro and norton could find it (Bitdefender does not work on my pC for some reason)

And I also used a RRT. exe program from the internet. It just made my hidden files and folders visible. And then I could not see any autorun.onf file! So i guess the inf file could not get installed..

Beyond that I do not know what happened. :flowers:

So Q2 Is there a chance to find out if there is some virus still lodged on my PC? Which tool will help me do that when all your tools have failed. and also I do not see any sign of virus except what I am going to tell you now.

After RRT worked. I found a new problem. I was now unable to hide the files again. It was as if what RRT promised was too true to its promise! The files kept being visible!

So after some research on the net I made the following settings in REGEDIT

HKEY_LOCAL_MACHINE-->SOFTWARE-->MICROSOFT-->WINDOWS-->CURRENT VERSION-->EXPLORER-->ADVANCED-->FOLDER-->HIDDEN--> NOHIDDEN --> checkedvalue and default value both =0 AND SHOWALL--> CHECKEVALUE= 1 AND DEFAULT=0

and
HKEY_CURRENT_USER-->SOFTWARE-->MICROSOFT-->WINDOWS-->EXPLORER-->ADVANCED-->HIDDEN value=1 (which means show I believe)

So then I could see the hidden files still. ok. So far so good.!! :thumbsup:

And now I could also change the setting using tools-->folder options-->view --> hiddden folders and files --> by choosing "do not show" radio button

The hidden files can become hidden again. Good.

But now the problem!! Now I am not able to change to the radio button "show" again
I go to regedit and see the settings changed to

HKEY_CURRENT_USER-->SOFTWARE-->MICROSOFT-->WINDOWS-->EXPLORER-->ADVANCED-->HIDDEN value=2 (do not show i believe) or 0 (that too does not show i believe)

Question-3: Now why is this happenning? Why does it change to 2 or what else I need to do? Unless I change this setting to 1 again I am unable to see the hidden files. So how to set my tools-->folder options working again?

And of course some setting in registry seems to making this happen.. it must be some trace of the virus or maybe the full thing still working ..!! how to detect it?

Thanks for the help in advance.. I am learning from you.. as you see.. but this USB pen drive virus is becoming a headache now! as even though my own pc is protected from virus I am not able to prevent USB virus from coming in!! What about that? What will help in doing that? This is question-4

:trumpet:

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 29 May 2008 - 01:23 PM

please clarify; do you have TWO antivirus programs on there; avg7.5 and clamwin?
if your computer is still infected can you update super; reboot and run a FULL deep scan with it

then post the log report FROM that scan for examination>

#3 sdas57

sdas57
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:12:48 PM

Posted 30 May 2008 - 06:10 AM

Hi Ruby1

Yes I have two. But only AVG is real time, clamwin is not real time. Btw superantispyware is also not real time as this is free version. I had earlier scanned and found nothing. But since you asked I updated again today and scanned and here is the log report. Mostly it found tracking cookies, which are quite normal I think. Ok.. maybe you can help and also the other 3 questions.. or somebody else??


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/30/2008 at 10:32 AM

Application Version : 4.1.1046

Core Rules Database Version : 3471
Trace Rules Database Version: 1462

Scan type : Complete Scan
Total Scan Time : 00:47:00

Memory items scanned : 681
Memory threats detected : 0
Registry items scanned : 7712
Registry threats detected : 0
File items scanned : 28900
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@richmedia.yahoo[1].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@ads.cnn[2].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@tacoda[2].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@atwola[1].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@ad-aware.en.softonic[2].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@revsci[1].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@1071023774[1].txt
C:\Documents and Settings\Shantanu Das\Cookies\shantanu das@1069551092[1].txt

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 AM

Posted 30 May 2008 - 08:21 AM

From what you describe, it appears to be a flash (usb, pen, thumb, jump) drive infection. Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive before we begin. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature and keep autorun.inf from executing automatically.

If you're using Windows 2000/XP, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sdas57

sdas57
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:12:48 PM

Posted 01 June 2008 - 01:40 PM

Hi Quietman!

Thanks once again. Last time too you were the one who helped me. However this time it seems this will take a bit longer. Because,

1. I downloaded the file from your link. It did not work the way they have said in the tutorial. In the tutorial it seems they are talking of a setup file. But you have given the final file. When I click it says insert USB as you said. then it says. "screen may go blank etc) and after some time says "Done" Nothing else!1 no hidden folder created.. no log file created.. no other screen visible.

2. Plus one more thing, if there is an autorun.inf file, i have searched for it everywhere my pc does not have any nor my USB drives. I can see my hiddenl files as I said.. and that is the main problem as said in my Four questions above.

So what to do now? I even tried doing the same thing in safe mode. but same results!!

Waiting... thanks!!!!!!

On second thoughts... I am downloading the installation file from the tutorial page and doing what it says.. now. Let me see what happens and then I will come and report! Hopefully nothing will go wrong!!

Edited by sdas57, 01 June 2008 - 01:59 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 AM

Posted 01 June 2008 - 03:20 PM

This issue will require further investigation. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 sdas57

sdas57
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:12:48 PM

Posted 01 June 2008 - 03:24 PM

Hi quietman.

I notice NOW that you were talking of two different programs. :flowers: Anyway, I have installed and ran sdfix in safe mode. Only when it rebooted I went to normal mode. I hope that does not matter (?).

One note- a message came during scanning "access denied" just before 75% complete message. This is not in the log report, so I guess log does not capture everything!!

Nothing is found. The report is pasted below.

I guess Q-1 is answered by you, but what is the name of virus do you think? However I do not find any virus still using SDFIX even. So my first message still holds. I guess Q-2 IS answered if sdfix is the right tool or is there some more tests to be done?

Q-3 seems to be answered because now I am able to choose radio buttons for show and also hide hidden files and folders as many times I want to like normally. :thumbsup:

However I now notice (I did not check this last time) that is not allowing me to deselect the checkbox for hide protected system files (recommended) option!!
How to get that corrected?
This now becomes Q-3a

And I again ran flashdisinfector.. again it said "Done' but I doubt it is checking the usb PEN DRIVES -2 nos and one no. usb external hdd (ide) because no light flashed in the pen drives.

And I do not see any hidden folder autorun.inf on the pen drives!!.. So Q-4 still needs answer please.

Q-5 -- Can you explain how the registry was rectified when it did as above? And how will flashdisinfector protect USBs as you said in ur msg?

I will wait for your reply. Thanks
:trumpet:
SDas

Edited by sdas57, 01 June 2008 - 03:25 PM.


#8 sdas57

sdas57
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:12:48 PM

Posted 01 June 2008 - 04:50 PM

Hi!! Sorry I forgot to paste the log of sdfix last time. And I also noticed that when I typed my earlier message ur message was not there but now it appears before mine.. it means ours have crossed each other. Okay after this I will also do the other things you have told me to do


SDFix: Version 1.187
Run by Shantanu Das on 02/06/2008 at 00:49

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 01:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ Library"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Palm\\HOTSYNC.EXE"="C:\\Program Files\\Palm\\HOTSYNC.EXE:*:Enabled:HotSyncr Manager Application"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 19 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 23 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 17 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f72bfd3613c9a4436ad01c60024011c0\BIT40.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BITA.tmp"
Mon 22 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT9.tmp"
Mon 21 Apr 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\b04vbzl.dll"
Mon 21 Apr 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\w195iq1.dll"


Finished!

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:18 AM

Posted 02 June 2008 - 04:59 PM

Hello sdas57,

I see that you now have an HiJack This log posted here: http://www.bleepingcomputer.com/forums/t/150146/usb-malware-hide-protected-system-files-option-not-working-in-tools-folder-options/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry;
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users