Hidden program files folder

[darkassain]

mikaka next time can put code tags so the post does not run too long....
also (and if get dont get this correctly please correct me)
you ran Spybot S&D/Nod32 and it found something...
(do you know what you deleted [some sort of log would help from spybot and nod])
you deleted it
and then you went working into MSconfig tool looking for some more malware...

from the screen shot it (and following dinesh's advice)check these two
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
and these
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

and from this info (and your msconfig screenshot)
it might seem you already deleted the file (although the only way you can be sure is if
boot a live cd (its more harder to infect a read only media to read/write media...) mount that disk and from there look if the file/s are there...

you can also use WinRE (pressing F8 and clicking on repair your computer) you can pick up a cmd prompt and you can check (throught the use of cd and dir commands) if the file is there and then delete it (using the del command)...
although do not try this is if you are not proficient with a DOS prompt style interface..

 

[Jacee]

Would you please upload (individually) and scan each of these files to jotti
Jotti's malware scan
C:\Windows\System32\drivers\SRK.sys
C:\Windows\ôU
C:\Windows\”úo
C:\Windows\System32\%APPDATA%
C:\Windows\System32\APOMngr.DLL

Post the result logs {copy and paste} the link from the address bar ---> http://

 

[Dinesh]

I guess he will need to do a clean install.

 

[Mikaka]

@darkassain

I think the log from Nod32 is gone, I cannot find it (unless there is a way to retrieve it, after Nod has been reinstalled).
But here is what Spybot found:
Imageshack - przechwytywanie

The registry entries look clean to me, both RunOnce's are empty.
Run in CURRENT_USER contains Google Update (I have Chrome browser), and Sidebar.
Run in LOCAL_MACHINE contains Ad Muncher (ad blocker, installed by me), Ad-watch (Ad Aware also installed by me), and Egui (GUI process for ESET Nod32).

I'm gonna boot with 7 DVD, and check if the two files of the _scott things are still there.

@Jacee
SRK.sys
ôU
”úo
index.dat (The only file inside %AppData%/Microsoft/Windows/IETldCache
APOMngr.DLL

@dinesh
I hope not

 

[Dinesh]

Did you try the Boot scan with avast?

 

[Mikaka]

Did you try the Boot scan with avast?

Yes, it came clean.
So when it came clean, and then another scan with Nod32 also came clean, there's nothing strange in Run/Runonce, and I resolved the invisible Program Files, do you think I don't have to worry about this virus anymore??
I'll do a full scans in Spybot and AdAware just in case.

 

[darkassain]

looks like a rootkit...
run the disenfector
Sophos - Troj/RKProc-Fam and Troj/Stinx disinfection instructions
just in case run this to see if you have any traces of this trojan...;

 

[Dinesh]

Yes, it came clean.
So when it came clean, and then another scan with Nod32 also came clean, there's nothing strange in Run/Runonce, and I resolved the invisible Program Files, do you think I don't have to worry about this virus anymore??
I'll do a full scans in Spybot and AdAware just in case.

How did you fix the program files issue?
Glad to hear that its fixed now.

 

[darkassain]

How did you fix the program files issue?
Glad to hear that its fixed now.

he ran in a elevated cmd prompt attrib -h -s Program Files

 

[Jacee]

Have you visited 'GameSpot' forums and downloaded any games, cheats or etc?

Last time I downloaded Harry Potter 6 demo, and yes, I may have downloaded some cheat.

Looking at all the games you have, did you download Bypassing GameGuard?

This 'cheat' would be detected as Troj/RKProc-Fam

 

[Mikaka]

How did you fix the program files issue?
Glad to hear that its fixed now.

I didn't wanted to do triple post, so its posted on the end of the second log (the extras.txt).

looks like a rootkit...
run the disenfector
Sophos - Troj/RKProc-Fam and Troj/Stinx disinfection instructions
just in case run this to see if you have any traces of this trojan...;

Just finished, shows no objects detected.

Looking at all the games you have, did you download Bypassing GameGuard?

This 'cheat' would be detected as Troj/RKProc-Fam

I don't recall downloading that :/

 

[darkassain]

I don't recall downloading that :/

it would seem that the cheat you downloaded bundled it to be able to cheat...

 

[Mikaka]

Thanks for everyone, I reverted back to Vista as soon as I got my response from evenbalance that punkbuster will work with Windows 7 when it will be available in stores, and thats somewhere in October
Anyway thanks again for help.

 

[FoxDie]

HI

Hi,

I've had the same problem... But the elevated CMD prompt didn't work for me.
So I just open up Command Prompt as Administrator and type in:
attrib -h -s Program Files (x86) ?

I have a 64bit Vista Ultimate and the virus made my (x86) disappear.
I hope someone could help me out with this.

 

[Mikaka]

What was the error message?

 

[FoxDie]

Something like
"Parameter is not correct -" (I had to translate since I have a Dutch version).