[Jintan]

step 2. everything in the log contained either desktop.ini, Desktop.ini, or DESKTOP.INI.

Yes, that's a given, since we were looking for those. But are they in folders that also have these unwanted hidden files? A long shot, I admit.

Let me go back and take another look at the OT log. Some malware settings just getting overlooked here.

Check this in the meantime please.

Go to Start Search, type regedit, and when that shows at the top of the menu right click it, and select "Run as administrator".

In the Registry Editor display, navigate to the following Registry key:

HKEY_USERS\S-1-5-21-1343024091-484061587-1801674531-1004

Most of the numbers in your Registry Editor will be different, except for the parts I hilighted.

Under that, see if something like this is there:

HKEY_USERS\S-1-5-21-1343024091-484061587-1801674531-1004\Software\Classes\.exe

For now just let me know.

[Advertisements]

Yes, some of the files that are hidden contain desktop.ini. the reason I say some is because there are just too many to look up all of them.. However I have confirmed 2 folders and it's contents in which they are hidden and contain desktop.ini. And no, there is no .exe in that part of the registry.

[Kasey21]

Yes, some of the files that are hidden contain desktop.ini. the reason I say some is because there are just too many to look up all of them.. However I have confirmed 2 folders and it's contents in which they are hidden and contain desktop.ini. And no, there is no .exe in that part of the registry.

[Jintan]

For those two folders, rename those desktop.ini files to larry1 and larry2 (just as shown). Reboot, and check the file that are hidden.

[Jintan]

Other user accounts have the same problem with the same files?

[Kasey21]

For those two folders, rename those desktop.ini files to larry1 and larry2 (just as shown). Reboot, and check the file that are hidden.

uhmm... I didn't really understand. I just renamed the folders and files to larry1 and larry2 and rebooted. It didn't fix anything but for some reason I think that isn't what I suppose to do. lol.. I got confused with the "(just as shown)" part.

Other user accounts have the same problem with the same files?

there is only one user account on the computer. the "Guest" account is disabled.

[Jintan]

Go to Control Panel - User Accounts, and create a new admin user account.

Restart the computer, log in to that new account, and just see if it experiences the same issues. Better to choose a keeper name for the new account. If it does not experience the same problems, you can just use the actual system's Administrator account, transferred personal data, then switch over to this new user account.

[Kasey21]

All file properties are still messed up. However, I was able to update Adobe on the new one. I couldn't do it on this one as for some reason it said I didn't have permission.

[Jintan]

There's a tool developed by Grinler over at Bleeping that does assist with unhiding the malware altered files. The procedure is not without some downsides, such as more files are unhidden than the system usually has. But given the mess the malware makes, the trade-off seems okay.

Click here and download unhide.exe to your desktop.

Then temp disable all security softwares, and click the file to run the fix. Agree to any prompts, and be sure to reboot after. I have not had time to check this fix yet, but the results for many others looks promising.

After the reboot check how everything is, and post back an update please. My thanks to Grinler for the great work on the tool.

[Kasey21]

That fixed it. I can just use the other Administrator account and delete this one to fix the "permission" problems. Thanks for helping me

[Jintan]

You did well there. Do you wish to check installed programs, for suggestions on any changes to be made, or just start cleaning up our work here?

[Jintan]

A teammate at a different forum provided some very clear details of the infection your system has/had, and I now see how little I knew of these changes. If you still are running into problems on that system, feel free to still post here, or I can also ask someone more knowledgeable about this particular infection to assist here.

[Kasey21]

Well the only thing that was fixed was the hidden folders. Making a new account and using it instead, fixes the permission issues but it is more of ignoring the problem. lol. I also have folders that are suppose to be hidden that were unhidden. But there are just a few of them and I can manually change them. So, if you can I would really like to fix the permission problems instead of using a new account . Thanks

[Jintan]

Good. Help me to be clear on the goals there. What exactly is having permissions issues there? Too many permissions, too few, a bunch of files/folders, these few files folders?

[Kasey21]

Not 100% on which folders exactly, but the problem occurs when I try to update Adobe Reader and I get an error message saying I don't have permission to access a folder that is needed for the update. Also, I didn't have permission to change the settings on some folders. Like I tried to change the folder ESET to unhidden when it was hidden a while back but it said I didn't have permission to do this. In fact, I just noticed, but it was the only folder in Program Files that didn't change when I used the unhide program. So I'd have to say that problem is too few permissions on a few files/folders.

[Jintan]

Let's do this methodically, going by some existing info. Just know there are some tools you can use to undo permissions, but better we not get to that just yet.


Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

dir /s /a "C:\Users\kelli\Local Settings\Temp\smtmp" > c:\larry.txt&c:\larry.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.