Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Program Files in all programs empty


  • Please log in to reply
13 replies to this topic

#1 taternutz

taternutz

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 06 June 2011 - 08:26 AM

I got some sort of trojan/hijacker/virus. I used MBAM and combofix. It seemed to get rid of the trojan. This trojan was particularly nasty. It hid my desktop and told me my hard drive was crashing. It also deleted all my start menu files. The listings are still there, but when u go to, say, accessories, it says "empty". Went to doc and sets and they are also empty there.

Anything anyone can do to help would be greatly appreciated...

Thanks,

Taternutz

Edited by hamluis, 06 June 2011 - 08:27 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 PM

Posted 06 June 2011 - 10:07 AM

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



The symptoms you describe are indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders and store them in a %Temp%\smtmp folder.

See this example guide which includes removal instructions and using unhide.exe (Step 17), a tool which will remove the "hidden" attribute on all files and attempt to restore Quick Launch and Start Menu items to their proper location. When done you will need to restore the hidden attributes to those files manually. To do that, open Windows Explorer, go to Tools > Folder Options > View and make that change there.
Note: Do not clean out your temporary files/folders until this issue is resolved.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 03:18 AM

Mbam Run 1

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6664

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/24/2011 1:13:44 PM
mbam-log-2011-05-24 (13-13-44).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 344238
Time elapsed: 2 hour(s), 0 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\qoobox\quarantine\c\documents and settings\all users\application data\16244516.exe.vir (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\documents and settings\all users\application data\ywjcrfuitusqdav.exe.vir (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\documents and settings\all users\application data\gicfcmg06510\gicfcmg06510.exe.vir (Rogue.Palladium) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\mefmifn05200\mefmifn05200.exe.vir (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3ecf326f-aa82-42c8-8aa2-ecbe3eded24e}\rp356\a0132008.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3ecf326f-aa82-42c8-8aa2-ecbe3eded24e}\rp356\a0132009.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

Mbam Run 2

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6741

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/1/2011 12:35:58 AM
mbam-log-2011-06-01 (00-35-58).txt

Scan type: Quick scan
Objects scanned: 174403
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Thomas Tatum\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 03:28 AM

I had already used the unhide program, but the ones in my start menu never unhid...guess I accidentally cleared my temp folders...oh well too late too sorry. Most of the programs are still in my program files through the c drive.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 PM

Posted 29 June 2011 - 07:02 AM

This is a manual fix for XP users:

1. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\1
and paste it to this folder:
C:\Documents and Settings\All Users\Start Menu

2. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\2
and paste it to this folder:
C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\3
and paste it to this folder:
C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\4
and paste it to this folder:
C:\Documents and Settings\All Users\Desktop

If the above does not work then you can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 6741. Last I checked it was 6975.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 08:17 AM

That was an old log...I have updated since then.

Thanks, I will give it a try...

#7 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 08:26 AM

C:\Documents and Settings\user_name\Local Settings

file can not be found.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 PM

Posted 29 June 2011 - 08:48 AM

C:\Documents and Settings\user_name\Local Settings

file can not be found.

Reconfigure Windows to show hidden files, folders
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 07:11 PM

Ok...hidden files are shown...no smtmp folders...I would say I screwed up...I really appreciate your help. All the files I need can still be found in c drive program files, just an inconvenience.

#10 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 07:26 PM

Oh...BTW, my browser are still being hijacked, even though MBAM did not detect malicious programs. This happens with IE and Firefox.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6971

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2011 7:23:10 PM
mbam-log-2011-06-29 (19-23-10).txt

Scan type: Quick scan
Objects scanned: 180602
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 PM

Posted 29 June 2011 - 08:26 PM

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extensio, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 09:32 PM

ok, I cannot get tdsskiller to run at all. I did run MBAM in safe mode and found 2 more files...

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6971

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/29/2011 10:31:44 PM
mbam-log-2011-06-29 (22-31-44).txt

Scan type: Quick scan
Objects scanned: 179463
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\thomas tatum\local settings\temp\0.1674426416527539.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\0.859188621831821.exe (Exploit.Dropper) -> Quarantined and deleted successfully.

Edited by taternutz, 29 June 2011 - 10:48 PM.


#13 taternutz

taternutz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 29 June 2011 - 09:49 PM

IE absolutely will not go to the tdss page. How can I get firefox to run the program automatically like it does in ie?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 PM

Posted 30 June 2011 - 07:53 AM

Sounds like the malware is stopping TDDSKiller. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself or infect critical system files which cannot be cleaned. Sometimes there is an undetected hidden piece of malware such as a rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users