• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 715
  • Last Modified:

Strange Virus or Spyware hiding all programs list.

We just got a computer that has some sort of malware on it that is hiding the all programs list.  When you go to all programs , it is empty or the program folder is empty.  It will not show the programs where you can open them.
We have taken the following steps.  We have ran rkill, ran malwarebytes and superantispyware.  They all removed infections but they still do not show up.

Anyone seen this and found a fix?  This is the first time any sort of malware has stumped me.
0
maximus7569
Asked:
maximus7569
  • 8
  • 4
  • 4
  • +3
2 Solutions
 
Brian GeeCommented:
Try running these to see if this helps with this issue:

Run this tool to remove the hidden flags on files and folders.
http://download.bleepingcomputer.com/grinler/unhide.exe

If the above doesn't fix it, try running RogueKiller option 6.
RogueKiller:
http://www.geekstogo.com/forum/files/file/413-roguekiller
0
 
n2fcCommented:
Make sure you check for ROOTKIT viruses as well (especially in MBR)...

It might also be a registry setting left over from an old infection...

You might try Trend Micro's hijackthis for a good scan...
0
 
maximus7569Author Commented:
Any good rootkit programs to use?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
younghvCommented:
you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.
0
 
younghvCommented:
To supplement the suggestion above about "RogueKiller", I have an Article here on EE about using it:

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
0
 
maximus7569Author Commented:
None of the above fully worked.  I was able to get unhide the folders under all programs but when you go to the folder of a program it is empty.  If I go to Office 2007 it is empty, before there was no Office folder.  There is now but empty.  

Anything else to try.  This is one nasty form of malware.
0
 
JonveeCommented:
Yes, you could try running ComboFix.  From here, download CF and save to your Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime AV or Shields you may have running.

Double click "combofix.exe and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
Please post that log here.
Do not mouseclick Combofix's window while it is running, because it may stall.  
ComboFix must be run in normal mode.

In case you need it ...  A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
JonveeCommented:
Reviewing the question again ... if you are still unable to unhide those folders, you may like to try downloading & running "unhide.exe" from 'bleepingcomputer':
http://download.bleepingcomputer.com/grinler/unhide.exe
0
 
rpggamergirlCommented:
Try running this command at the commandline:

attrib -h /s /d c:\*.* /c



ComboFix as suggested is a good idea, attach the log for us to check.

OR, also run OTL and show us the log.this doesn't delete anything on its first run, it will just generate a logfile.
Download OTL, save to Desktop or other convenient location.
http://oldtimer.geekstogo.com/OTL.exe

OTL does not need to be installed, simply click the OTL icon to run
Click the Quick Scan Button.
A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
Post/attach the log here.
0
 
maximus7569Author Commented:
We ran combofix as well when I stated above nothing worked.

Here is the log for the OTL program.


OTL.Txt
0
 
rpggamergirlCommented:
C:\Documents and Settings\fortiz\Desktop\lou1tn0v.exe <-- do you know this executable located on your desktop?


If you don't know the above .exe files, run this OTL script below:

Run OTL

•Under the Custom Scans/Fixes box at the bottom, paste in the following


:OTL
[2011/05/10 19:05:55 | 000,302,080 | ---- | M] () -- C:\Documents and Settings\fortiz\Desktop\lou1tn0v.exe
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E60C72DB
[2011/05/06 19:48:01 | 000,000,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18013988
[2011/05/06 19:48:00 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~18013988r
[2011/05/06 19:47:55 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18013988

:Files
attrib -h /s /d c:\*.* /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot


•Then click the Run Fix button at the top
•Let the program run unhindered, reboot the PC when it is done
0
 
maximus7569Author Commented:
OK will try.
0
 
maximus7569Author Commented:
Ok I ran the fix and nothing changed.  I still cannot see any of the programs.  Maybe a wipe and nuke will be the only way to get this system fixed.
0
 
JonveeCommented:
Yes, unless others can come up with a different approach it looks as though it will have to be a reformat ... but first perhaps see if rpggamergirl can comment on OTL.

Incidently did you try downloading & running unhide.exe from 'bleepingcomputer'?
0
 
maximus7569Author Commented:
Yes I did.  When I ran that program, that is when the program folders showed up.  But when you go to them they are empty.
0
 
JonveeCommented:
Ok, thanks.  
Well, certainly don't wish to waste your time, but while we wait for any other comments you may like to try a couple of quick scans with these two, both having been successful recently where other 'scanners' have failed:

ESET Online Scanner, a free, & powerful tool:
http://www.eset.com/online-scanner 
and ...
Dr.Web CureIt!
http://www.freedrweb.com/cureit/?lng=en
0
 
maximus7569Author Commented:
Hi guys I just wiped that system and it is back up and running and we are patching it as I write this.

I really appreciate everyone's help.  I did learn some new stuff to try for the next time I see something like this.

How do I go about giving the points?
0
 
rpggamergirlCommented:
Sorry, I wasn't able to help fix the issue.
0
 
maximus7569Author Commented:
rpqgamergirl your help was very much appreciated.  I did learn some tricks from all of you that I didn't know before.  I am sure it will help me in the next fight with spyware. :)

Thank you very much!  You did help!
0
 
rpggamergirlCommented:
That's comforting! Thanks, I appreciate it :)
Sorry you ended up wiping the system.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now