Solved Cannot access hidden folder filled with malware

September 9, 2013 at 04:10:45
Specs: Windows 7
[Window 7 home premium]
How do I access folders and files when hidden from Windows explorer and "access is denied" from command prompt. Malwarebytes says c:\temp is filled with trojan's and spy-ware but cannot delete them. c:\temp is invisible in explorer and access denied at prompt. I tried booting from a repair disk and there is no problem and no temp directory; only when I boot normally. Is c:\temp created and hidden by a malware driver that loads on boot?


See More: Cannot access hidden folder filled with malware

Report •

✔ Best Answer
September 10, 2013 at 01:35:15
I discovered the infection came from a malware program called Folder Lock which was inadvertently installed some time ago (so a system restore was the last resort). It was promptly removed, but the infection remained and went unnoticed until now.

In addition to the invisible c:\temp folder I mentioned in my original post, I discovered this folder:

"C:\Program Files (x86)\Newsoftware's"

which although visible could not be deleted by the many different programs/apps I tried. Starting windows in safe mode made no difference at all. In the properties (right context menu) for this folder I could see that it was read-only so I unchecked read-only and clicked OK, but the read-only attribute was unaltered.

I took ownership of the folder with full administrative rights, but it had no effect. I could not delete the folder (got a message saying the folder was not empty).

I tried booting from a repair CD, and it made no difference with the Newsoftware's folder (however, there was no c:\temp folder - visible or invisible).

Fsutil.exe returned "access denied" when I tried it on the "newsoftware's" folder which is also what I got with the invisible "c:\temp" folder on normal boot.

I entered "CD" at the command prompt (with admistratrator rights) and tried to change to the "newsoftware's" folder and got "access denied".

I tried all of the software listed below in my efforts to locate and eliminate the infection:

Autoruns
Bitdefender
CCleaner
Comodo antivirus
File Assassin
Glarysoft
Hijack This
HitMan Pro
HxD Hex Editor
Kaspersky rootkit (tdsskiller.exe)
Lock Hunter
MalWareBytes
Microsoft tools
MoveOnBoot
Nirsoft (regscanner)
ProcessExplorer
RootKitBuster
Spybot
Spyware Terminator
SpyWareBlaster
SysInternals (several utilities)
WinUtilities

IMO, FolderLock is both insidious and malicious and I recommend avoiding any software from newsoftwares.net (lo4d.com). I discovered the registry was filled with infected keys with terms such as "flka", "flwin", "flservice" "newsoftwares" and "newsoftwares.net".

Malwarebytes alerted me to the problem which is most important and deserves many kudos (even though it was unable to delete). Autoruns was very useful in eliminating suspicious startup modules. Regedit was very useful. Nirsoft regscanner was useful. CCleaner was useful. Spybot was useful. ProcessExplorer was a help too.

Fortunately, I remembered a trick from my DOS batch file days. I made this two line text file (which I named newsoftware's.reg) and ran it at the command prompt.

REGEDIT5
DeleteRegKey [HKCU\\S-1-5-21-2766679561-1162360380-126069945-1001\software\newsoftware's]

That did it. The "C:\Program Files (x86)\Newsoftware's" folder is gone and so is the invisible "c:\temp" folder. Malwarebytes now gives a clean report. I hope this information will be of help to others with the same or similar problem.
/Thanks

Malwarebytes logfile before fix:
-------------------------------------------
9/6/2013 7:25:26 PM
mbam-log-2013-09-06 (19-25-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 219203
Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
c:\temp\xfile (Trojan.Agent.AS) -> Delete on reboot.

Files Detected: 50
c:\temp\tdk.exe (Trojan.Banker.Gen) -> Delete on reboot.
c:\temp\der.exe (Trojan.Banker.Gen) -> Delete on reboot.
c:\tempbak.exe (PasswordStealer.Agent) -> Delete on reboot.
c:\tempo\norcom.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\sysmon.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\taskmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempu\ctfmol.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempu\taskng.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempu\csr.exe (Trojan.Downloader) -> Delete on reboot.
c:\temp.pif (Worm.AutoRun) -> Delete on reboot.
c:\temp\archiws.txt (Malware.Trace) -> Delete on reboot.
c:\temp\informe.exe (HackTool.Agent) -> Delete on reboot.
c:\temp\loadam.exe (Trojan.Downloader) -> Delete on reboot.
c:\temp\svchost.exe (Backdoor.Bot) -> Delete on reboot.
c:\temp\tvoupdater.exe (Adware.SearchOn) -> Delete on reboot.
c:\temp_sys.exe (Trojan.Agent) -> Delete on reboot.
c:\temp32\winlogon.exe (Trojan.Agent) -> Delete on reboot.
c:\tempi\ie8.exe (Trojan.FakeIE) -> Delete on reboot.
c:\temps\svchost.exe (Trojan.Agent) -> Delete on reboot.
c:\tempx\wn.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempx\wr.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempi\ctfmon.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\msnmsgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\tasqmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\csrss.exe (Trojan.Banker) -> Delete on reboot.
c:\temp_00\zses.exe (Trojan.Agent) -> Delete on reboot.
c:\temp\xfile\nsload.exe (Trojan.Agent.AS) -> Delete on reboot.
c:\tempu\javaw.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\winlogom.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\notepade.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\dwm.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\conhost.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\iexplorer.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempq\dwn.exe (Trojan.Banker) -> Delete on reboot.
c:\tempsetup\install\ieupdater.exe (Trojan.Agent) -> Delete on reboot.
c:\tempo\morlom.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\scripts.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\stilknot.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\microsoft.exe (Trojan.Banker) -> Delete on reboot.
c:\tempservices.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempo\casllas.exe (Trojan.Banker) -> Delete on reboot.
c:\tempx0\bmp.exe (Trojan.Agent) -> Delete on reboot.
c:\tempo\msnmr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\toskmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\tasnkmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\ctfmom.exe (Trojan.Banker) -> Delete on reboot.
c:\temporignala.exe (Trojan.Agent.Gen) -> Delete on reboot.
c:\tempyyb\cyp.exe (Adware.Kraddare) -> Delete on reboot.
c:\tempimg\installer.exe (Trojan.LowZones) -> Delete on reboot.
c:\tempspynet-server.exe (Backdoor.SpyNet) -> Delete on reboot.
-------------------------------------------

message edited by wnthne



#1
September 9, 2013 at 04:57:28
Are you running your scans from Safe Mode?

Report •

#2
September 9, 2013 at 06:33:31
Did not think of it, but I will try that next and see if there are better results. Thanks.

Report •

#3
September 9, 2013 at 14:02:54
I would recommend running a System Restore to a date well before you noticed the issue in order to be sure your system files are not corrupted (use 'show more restore points' to see further back). Then restart into Safe Mode, and rerun Malwarebytes to be sure all of it is gone.

You have to be a little bit crazy to keep you from going insane.


Report •

Related Solutions

#4
September 10, 2013 at 01:35:15
✔ Best Answer
I discovered the infection came from a malware program called Folder Lock which was inadvertently installed some time ago (so a system restore was the last resort). It was promptly removed, but the infection remained and went unnoticed until now.

In addition to the invisible c:\temp folder I mentioned in my original post, I discovered this folder:

"C:\Program Files (x86)\Newsoftware's"

which although visible could not be deleted by the many different programs/apps I tried. Starting windows in safe mode made no difference at all. In the properties (right context menu) for this folder I could see that it was read-only so I unchecked read-only and clicked OK, but the read-only attribute was unaltered.

I took ownership of the folder with full administrative rights, but it had no effect. I could not delete the folder (got a message saying the folder was not empty).

I tried booting from a repair CD, and it made no difference with the Newsoftware's folder (however, there was no c:\temp folder - visible or invisible).

Fsutil.exe returned "access denied" when I tried it on the "newsoftware's" folder which is also what I got with the invisible "c:\temp" folder on normal boot.

I entered "CD" at the command prompt (with admistratrator rights) and tried to change to the "newsoftware's" folder and got "access denied".

I tried all of the software listed below in my efforts to locate and eliminate the infection:

Autoruns
Bitdefender
CCleaner
Comodo antivirus
File Assassin
Glarysoft
Hijack This
HitMan Pro
HxD Hex Editor
Kaspersky rootkit (tdsskiller.exe)
Lock Hunter
MalWareBytes
Microsoft tools
MoveOnBoot
Nirsoft (regscanner)
ProcessExplorer
RootKitBuster
Spybot
Spyware Terminator
SpyWareBlaster
SysInternals (several utilities)
WinUtilities

IMO, FolderLock is both insidious and malicious and I recommend avoiding any software from newsoftwares.net (lo4d.com). I discovered the registry was filled with infected keys with terms such as "flka", "flwin", "flservice" "newsoftwares" and "newsoftwares.net".

Malwarebytes alerted me to the problem which is most important and deserves many kudos (even though it was unable to delete). Autoruns was very useful in eliminating suspicious startup modules. Regedit was very useful. Nirsoft regscanner was useful. CCleaner was useful. Spybot was useful. ProcessExplorer was a help too.

Fortunately, I remembered a trick from my DOS batch file days. I made this two line text file (which I named newsoftware's.reg) and ran it at the command prompt.

REGEDIT5
DeleteRegKey [HKCU\\S-1-5-21-2766679561-1162360380-126069945-1001\software\newsoftware's]

That did it. The "C:\Program Files (x86)\Newsoftware's" folder is gone and so is the invisible "c:\temp" folder. Malwarebytes now gives a clean report. I hope this information will be of help to others with the same or similar problem.
/Thanks

Malwarebytes logfile before fix:
-------------------------------------------
9/6/2013 7:25:26 PM
mbam-log-2013-09-06 (19-25-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 219203
Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
c:\temp\xfile (Trojan.Agent.AS) -> Delete on reboot.

Files Detected: 50
c:\temp\tdk.exe (Trojan.Banker.Gen) -> Delete on reboot.
c:\temp\der.exe (Trojan.Banker.Gen) -> Delete on reboot.
c:\tempbak.exe (PasswordStealer.Agent) -> Delete on reboot.
c:\tempo\norcom.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\sysmon.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\taskmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempu\ctfmol.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempu\taskng.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempu\csr.exe (Trojan.Downloader) -> Delete on reboot.
c:\temp.pif (Worm.AutoRun) -> Delete on reboot.
c:\temp\archiws.txt (Malware.Trace) -> Delete on reboot.
c:\temp\informe.exe (HackTool.Agent) -> Delete on reboot.
c:\temp\loadam.exe (Trojan.Downloader) -> Delete on reboot.
c:\temp\svchost.exe (Backdoor.Bot) -> Delete on reboot.
c:\temp\tvoupdater.exe (Adware.SearchOn) -> Delete on reboot.
c:\temp_sys.exe (Trojan.Agent) -> Delete on reboot.
c:\temp32\winlogon.exe (Trojan.Agent) -> Delete on reboot.
c:\tempi\ie8.exe (Trojan.FakeIE) -> Delete on reboot.
c:\temps\svchost.exe (Trojan.Agent) -> Delete on reboot.
c:\tempx\wn.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempx\wr.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempi\ctfmon.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\msnmsgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\tasqmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempi\csrss.exe (Trojan.Banker) -> Delete on reboot.
c:\temp_00\zses.exe (Trojan.Agent) -> Delete on reboot.
c:\temp\xfile\nsload.exe (Trojan.Agent.AS) -> Delete on reboot.
c:\tempu\javaw.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\winlogom.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\notepade.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\dwm.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\conhost.exe (Trojan.Banker) -> Delete on reboot.
c:\tempq\iexplorer.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempq\dwn.exe (Trojan.Banker) -> Delete on reboot.
c:\tempsetup\install\ieupdater.exe (Trojan.Agent) -> Delete on reboot.
c:\tempo\morlom.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\scripts.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\stilknot.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\microsoft.exe (Trojan.Banker) -> Delete on reboot.
c:\tempservices.exe (Trojan.Downloader) -> Delete on reboot.
c:\tempo\casllas.exe (Trojan.Banker) -> Delete on reboot.
c:\tempx0\bmp.exe (Trojan.Agent) -> Delete on reboot.
c:\tempo\msnmr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\toskmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\tasnkmgr.exe (Trojan.Banker) -> Delete on reboot.
c:\tempo\ctfmom.exe (Trojan.Banker) -> Delete on reboot.
c:\temporignala.exe (Trojan.Agent.Gen) -> Delete on reboot.
c:\tempyyb\cyp.exe (Adware.Kraddare) -> Delete on reboot.
c:\tempimg\installer.exe (Trojan.LowZones) -> Delete on reboot.
c:\tempspynet-server.exe (Backdoor.SpyNet) -> Delete on reboot.
-------------------------------------------

message edited by wnthne


Report •

#5
September 10, 2013 at 20:13:42
Glad to hear you solved it.
Consider running Disk Cleanup and checking off everything to help wipe out the temp folder contents.
Please note that if you boot to a DVD with a linux dist like Puppy Linux (not install), you can mount your drive and delete anything on it. WARNING, that includes required system files so be very careful. This way you can manually go through any confirmed bad files and folders and remove them.
Again, thanks for letting us know.

You have to be a little bit crazy to keep you from going insane.


Report •

Ask Question