Programs being deleted from C:\Program Files (x86)

Roman5 · 25 May 2012

Thanks for the fantastic advice guys. I've decided to go with kegobeer and do some damage limitation.

Mail and live movie maker have disappeared and windows live essentials says they're installed. I installed mail again but it's not installed. I can't install any windows live programs now, it lists them all with big green ticks saying they're installed and just a close button. If I try to delete the live mail folders showing up in program files x86 and program files, it says you require permission from trustedinstaller to make changes to this folder. I'm getting that on a few programs where it says trusted installed or SYSTEM need permissions. I tried to lock a folder the other day with windows permissions but then couldn't unlock it OR delete it, not even in safe mode, don't know if that had any bearing on these other things. There's so many messed up things now I think my only choice is to format and do a complete Windows 7 reinstall. It's been a long time coming anyway, it's just a right bloody PITA to go through the backing up and reinstalling stuff. Still, I'll take my time noting what I need to save, I'll do a ghetto backup and manually transfer important stuff to my laptop and nuke this infested C drive and reinstall windows.

I found thousands of .eml files in app data, so it looks like my emails are intact. So I presume I can import them into windows live mail on the new windows install.

karlsnooks · 25 May 2012

Roman,

Right now, before you lose anything more:
Run WDO, Windows Defender Offline.

This program runs without your Win 7 ever booting up. Consequently, WDO can rid you of the most evil types of malware plus the normal menagerie of evil animals.

The proper link for WDO is in my signature.
You will find complete instructions there.

If you prefer, we have a tutorial on WDO.

I'm including the procedure which I use:

HOW TO USE WINDOWS DEFENDER OFFLINE ON A USB STICK
Windows Defender Offline
· is a free standalone, bootable malware and virus remover from Microsoft.
· performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.

Download Windows Defender Offline (about 764 kB)

You will have the choice of downloading the 32bit version (x86) or the 64 bit version (x64).
The link will help you determine whether you are running a 32 bit version or 64 bit version of Windows

NOTE!! You can download and prepare a 32 bit version using a 64 bit version of Windows
NOTE!! You can download and prepare a 64 bit version using a 32bit version of Windows.

You run the 32 bit version on a 32 bit version of Windows.
You run the 64 bit version on a 64 bit version of Windows.

The 32 bit download file name is: mssstool32.exe
The 64 bit download file name is: mssstool64.exe

For the curious, this program was originally name Microsoft Standalone System Sweeper.

INSTALLATION:
You will need an Internet Connection.
Insert 512 mB (Microsoft’s 256 mB is no longer accurate) or larger USB stick into a usb port.
Run the downloaded program--mssstool64.exe or mssstool32.exe
NEXT button
Choose the option On a USB flash drive that is not password protected
NEXT button
NEXT button
.
The install program will format the usb stick using the NTFS format.
The install program will download about 210 mB.
The install program will name the USB stick WDO_Media32 or WDO_Media64
The WDO_Media32 usb stick will have used space of 255 mB (268,140,544 bytes)
The WDO_Media64 usb stick will have used space of 282 mB (296,165,376 bytes)
You can expect the number of mB to increase as more malware appears.

UPDATE Windows Defender Offline USB stick:
· reinsert the usb stick
· run the installation program, mssstool64.exe or mssstool32.exe, again.
· the update will download about 66 mB (mssstool32.exe) and 68 mB (mssstool64.exe).

Since the malware database is sometimes updated several times in a day, always update before running.

PERFORM AN OFFLINE SCAN
Bootup your computer from the USB stick
Windows Defender Offline will automatically perform a quick scan.
After the quick scan finishes, Choose Full Scan
Select all of your drives

The initial, full scan can easily take several hours, but
Remember, your computer is being very thoroughly checked for all types of malware.

RESULTS OF THE SCAN
The results will be in 4 log files in:
\Windows\Microsoft Antimalware\Support

Upload the four log files please.
===========================================

Roman5 · 25 May 2012

Thanks karlsnooks, I will do that in a bit. The news get worse though. My laptop is infected. Malarebytes went missing from my laptops program files (x86) folder too, but so far nothing else has gone. Security Essentials found and quarantined the same Blacole.ES exploit, along with

Exploit: Java/CVE-2012-0507.R
Exploit: Java/CVE-2012-0507.D!ldr
Exploit: Java/CVE-2012-0507.AQ

When transferring files from my desktop to laptop just now, network connectivity had been turned off on both machines. Had to turn them both back on again.

karlsnooks · 25 May 2012

Roman,
You have the wrong sequence!

Running WDO is your highest priority!.

Roman5 · 25 May 2012

karlsnooks said:

Roman,
You have the wrong sequence!

Running WDO is your highest priority!.

You're right sir, I've just been panicking a little, transferring a few essentials from desktop to laptop.

I found my 2GB pendrive and am going to follow your instructions. I have win7 64 so assume I will need mssstool64.exe. Do I need to change my boot options in bios to bootup from the USB stick?

karlsnooks · 25 May 2012

consult the manual for your computer.
There should be instructions on performing a one-time change without having to change the bios.

For example, on my Toshiba if as soon as power is turned on then i start tapping the F12 key, a menu giving me the choice of a one time boot from USB appears.

Your other question is answered in the instructions I gave.

F5ing · 25 May 2012

How do you know if that crippled, virus-laden machine isn't infecting your other machine?

I think I would shut them both down to limit damage and run WDO as Karl suggests on both machines.

Don't bother running the OS on the hard drive of an infected machine. Save your files off of it by booting from CD/DVD or flash drive loaded with something like Lucid Puppy: Download latest Puppy Linux release. You can use it as your temporary OS while you get things cleaned up or wiped and reloaded.

karlsnooks · 25 May 2012

Yep, I couldn't believe it when he said that he had connected his infected machine to another machine. Not wise.

You are correct than now WDO will need to be run on both machines.

Roman5 · 25 May 2012

Ok, mssstool64.exe downloaded, pendrive formatted, files added and updated. You're right karlsnooks, I have an F12 boot menu option for a one time only boot choice. Now about to boot with pendrive and do a quick scan then full scan. Thanks for all your help so far, much appreciated. Then I guess I'll have to do the same with my laptop. I hope the full scans don't take TOO long, but as you say, they probably will take several hours :)

Roman5 · 25 May 2012

Hmm, the pendrive is still inserted into the USB, but I can't get it to boot. I've tried USB-FDD, USB-HDD USB-ZIP and ZIP from the F12 key, and then I tried them all again from setting them as first priority boot within bios. Whatever I try, it just boots into windows and my desktop.

Pendrive inserted is labelled WDO_Media64, has 278mb of data, and has a boot folder and various boot files. Maybe I should reformat the pendrive and try again? I have to say, the first time I went through the 4 step process of downloading, processing, formatting and adding the files, it quit saying there was an error, but it completed the second attempt.

This is my screen of choices after pressing F12.