Help... I cannot remove the hidden attribute on Trojan files

[PhotoOpp]

I need some help... I have a major trojan issue going on with one of the kids' computers. There are about 5,000 dat files created in the Windows and System32 directories.

AdAware recognizes the files as adware (CoolWebsearch objects) but cannot immunize and delete the files. The program just hangs. CWShredder recognizes that there is a variant of CoolWebSearch trojan (CWS.Smartsearch.2) but even after it scrambles it's name it is forced to close!

I ran the Trend Micro's Housecall and Panda and they eliminated the dll files (around 2,000) but left all the dat files and many registry problems.

Using Adaware's log file I was able to manually clean the registry entries, however whenever I try to delete a file in explorer (or do just about anything else) explorer dies!

So I opened a CMD window and was about to delete all the dat files... but because all these newly created files are checked as hidden the DOS window doesn't see them. How can I uncheck the files?

By the way... I also ran Spybot and McAfee's Stinger and A2.

 

[Wxguesser]

Have you booted to safe mode and tried to delete the files?
Also, turn off system restore while removing these pesky files. After they have been permanently removed you can re-enable system restore.

Jim W.

 

[PhotoOpp]

Yes, System Restore has been turned off and I have tried in SAFE mode and tried to delete the files. I also tried by starting in Safe mode with Command Prompt (or whatever it's called!) and tried to change the file attribute of one of the particular files (attrib -H C:\windows\filename.dat)... the result was "Not restting system file".

Any other thoughts?

 

[PhotoOpp]

Just a follow-up... When I realized what the error message was saying "Not resetting system file" I realized that I had to change the attrib command to attrib -S -H C:\windows\filename.dat. This worked and I was then able to delete all the files. Before I did this I copied the non-hidden dat files to a new directory; erased all dat files and then recopied the non-hidden dat files back to the Windows and Windows/System32 directories. Now I will have to see if this fixed any of my problems. I will update when I know where I am.

 

[bcastner]

Run a scan with the trialware of Giant Antispyware:

http://www.giantcompany.com/

 

[PhotoOpp]

Thanks... I downloaded Giant Antispyware and tried it. It found one thing that I deleted.

After all the files deletions I have gone through I believe that I now have rid the computer of the malware!!(CWShredder now works and AdAware gives me a clean report)

However, I may have inadvertently created another problem because I cannot get Explorer to work properly (copy & paste or deleting a file causes explorer to crash). In addition, if I click on a desktop icon I get an error window telling me that Windows Explorer had to close and then Dr.Watson gives me another error window telling me that it had to also close!

When I look in the Event Viewer I see that there are 2 errors:

Event # 1000 Application Error (explorer)
Event # 1000 Application Error (Dr.Watson)


Looking these errors up on

http://www.eventid.net,

all I find are some generic statements but nothing that I can use to figure out what my problem is!

By the way I ran Sfc /Scannow and then rebooted. However, the problem continues...

Any ideas?

 

[linney]

Try running ChkDsk /r from the Recovery Console.

HOW TO: Install and Use the Recovery Console for Windows XP (Q307654)

http://support.microsoft.com/support/kb/articles/q307/6/54.asp

If they don't work you could try repairing windows by running it over itself. You will lose all your windows updates (no problem if you substitute them with SP2) but your files and programs will be untouched.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)

http://support.microsoft.com/support/kb/articles/q315/3/41.asp

In future try surfing as a Limited user rather than an Administrator user, this will cut down the amount of damage that can be inflicted on your system.

To tighten up your infection prevention have a look around here.

http://www.diamondcs.com.au/index.php?page=products

 

[bcastner]

I am considered about the wholesale transfering of system files in the original cleanup steps, as well as the possibility of an infected file. After running GIANT and getting a clean report - along with the other steps you have taken - it sounds as if your system is clean of malware for the moment.

Lets check the integrity of system files and DLLs by running IEFIX with all options checkmarked. This does several things advisable at this point, including a sfc /Scannow:

http://www.mvps.org/sramesh2k/IEFIX.htm

 

[PhotoOpp]

I have downloaded the IEFIX file and I will run it a bit later this evening... however I am confused as to why I should run a utility that checks the integrity of Internet Explorer when my problem is with Windows Explorer! My internet explorer seems to work fine...

 

[bcastner]

Because the IEFIX re-regesters critical DLLs that are needed by both Explorer and IE. Microsoft was not kidding that in their base builds of XP that ripping out IE was non-trivial.

As an example, the following DLLs are in common between Explorer and IE, and often require re-registering with this "fix":

Open a new notepad session, to be called E_fix.cmd, and copy/paste the below:

regsvr32 urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll

Save the file, then double click E_fix.cmd and answer the prompts. Ignore any error messages.

Reboot and test again.

It is not unusual for a hotfix or service pack to fail on a re-registration. IEFIX, the utility I recommended above, does this re-registration, and with all options enabled does the second thing I wanted: a test of the integrity and file versions of all critical system files with an sfc /Scannow

Best,
Bill Castner

 

[PhotoOpp]

Thanks for the explanation... I ran IEFix on the computer and still have the same problem with Windows Explorer. I do have one question on the program... was I supposed to click on the box "For Windows XP, click here to enable reinstallation of Internet Explorer"? I didn't do this and therefore didn't set that... does it make a difference?

As an aside when I get the error on Dr.Watson (following the error on Windows Explorer) my system freezes until I bring up Task Manager and end the process.

Any other toughts?

 

[PhotoOpp]

linney,

I read the Microsoft article and tried to set up the Recovery Console. However, when I try to run the \i386\winnt32.exe /cmdcons command from my CD it tells me that "Setup cannot continue because the version of Windows on my computer is newer than the version on the CD". I guess this makes sense since I am at SP2.

I then extracted the files from the SP2 update file to a directory C:\I386 and tried to run the command from there. However, I got an error window with "The installation source path specified to setup is invalid"!! Does this mean that it will only accept the command from the CD or is there another way around this?

 

[linney]

There is firstly the possibility of running ChkDsk from within Windows (if your machine can remain stable long enough to handle the launching and necessary rebooting required).

Try running ChkDsk to check your drive for errors. Right click your Drive icon/ Properties/ Tools/ Error Checking. Select both check boxes.

It should run at next reboot before Windows loads.

The above should make you original question more or less irrelevant. SP2 as you have found out will not let you install Recovery Console as a boot option but you can still run it from the Windows CD as a stand alone repair option. Also if you were to slipstream SP2 with the original XP CD and produce a new CD then you can install Recovery Console as a boot option (well you can in a virtual PC, anyway).