Jump to content

hellevene

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thanks too, Firefox. Yes, I never said I was forced to take any decision I didn't want to. However, I was kinda surprised by the fact that no technician knew (or tell) that there is a folder by the name S-1-5 etc. inside the Recycler, while a user of medium -he never claimed othewise- knowledge did and said it to me -in another forum. So, having in mind that this is a mainly a forum, I thought it good to comment about it.
  2. To whom it may concern... ... and Hello Firefox. No, I am not still infected. Rotinom creates a new folder by the name S-1-5 etc. inside User/Local Settings/Application Data where it places a copy of itself. This folder was erased after disinfection. Then, by chance I discovered one with the same name inside Recycler and I was alarmed because of the name. Since I didn't know there is a normal Windows' system folder by that name, I was afraid I was not properly disinfected. I was more concerned after I saw I could not get rid of it, although I could temporarily delete it -firstly with the assistance of WinDirStat program and then by "shift+delete". As it seems, no specialist here or in MalwareBytes forum knew that S-1-5 etc. is a normal windows folder so as to appease me, so I kept investigating the matter until someone -not a technician- told me S-1-5 etc. exists in various places inside Windows, so the mystery was solved. I could not permanently delete the folder because it was a Windows System one.
  3. To whom it may concern, It was an illusion. Rotinom creates a new folder by the name S-1-5 etc. inside User/Local Settings/Application Data where it places a copy of itself. This folder was erased after disinfection. Then, by chance I discovered one with the same name inside Recycler and I was alarmed because of the name. Since I didn't know there is a normal Windows' system folder by that name, I was afraid I was not properly disinfected. I was more concerned after I saw I could not get rid of it, although I could temporarily delete it -firstly with the assistance of WinDirStat program and then by "shift+delete". As it seems, no specialist here or in MalwareBytes forum knew that S-1-5 etc. is a normal windows folder so as to appease me -on the contrary, some wanted me to believe I was still infected- so I kept investigating the matter until someone -not a technician- told me S-1-5 etc. exists in various places inside Windows, so the mystery was solved. I could not permanently delete the folder because it was a Windows System one.
  4. P.S. Also, something that might be of help concerning this worm and its aftermath. After MalwareBytes had finished the job, I rechecked both my C drive and the external hard-disc which was infected (and which was the source of the data Rotinom had transfered to my C drive, filling it to the top) and nothing was found. Then, I scanned them also with Kaspersky and PandaCloud Cleaner; nothing was found too. However, almost every folder of my external drive, including the one where all my data is stored, had been set to "hidden" by Rotinom and I could see them only after changing the related Registry Value. So, I tried to change this attribute manually but it was impossible, as I could not uncheck the "hidden" option. Finally, I found a program called "Attribute Changer" and only through this I managed to change the attribute and see my folders normally. In other words, both MawareBytes and Kaspersky didn't manage to detect and/or correct this damage caused by Rotinom. Hello again, I posted this in Malware Removal forum, where I have tranfered my original post, but since this one has more views, I duplicate it here too. I had no reply, so I guess nobody can figure out what is going on with this case; or nobody wants to reveal it without charge. In any case, let me add some things I noticed. My laptop still behaves normally; no sign of Rotinom after one week, more or less. However, the "S-1-5-21-583907252-764733703-682003330-1005" folder is still there, despite my everyday's efforts to get rid of it. I keep deleting it every time I notice its presence and after a while it returns. Meanwhile, I have noticed some things: 1) The "S-1-5-21-583907252-764733703-682003330-1005" folder is considered to be a system folder; also, a "read only" and "hidden" one. The "hidden" attribute cannot be altered through "properties". I can change it though, through a program called "attribute changer" (the same program I used in order to change the "hidden" option of almost every folder contained in my contaminated external hard disc (see the P.S. of my first post) together with the "system" one. On the other hand, "attribute changer" doesn't show it as a "read only" folder although "properties" do! So if I want to change this attribute, I can only do it through properties; but even if I change it, pressing "apply" too, the next moment is again "read only". Also, even if I change all three attributes, I still cannot delete it using "delete", as a message "You cannot delete file. Close first all programs... etc." appears. I even tried to delete it with "cmd" but after typing "dir", it showed no directory.*** (I am not sure if I expressed this last one correctly since my computer jargon is not that good. My OS is Windows XP SP3.) So, I delete it using the "windirstat" program, as I have said. ***However, one time I managed to delete it by simply pressing delete -after changing "system", "hidden" and "read only" attributes- but I have no idea how that happened and I couldn't repeat it after. 2) I am 99% sure that during the last two days, "S-1-5-21-583907252-764733703-682003330-1005" appears inside Recycler ONLY after I delete files from any of my hard discs, internal or external ones. When I do that, it appears firstly in the Recycler folder of the hard disc whose files I deleted and then it "spreads" to the Recycler folders of the other hard discs, and it contains all the files I have deleted. After deleting it, it disapears together with its contents. Which contents disappear also from the recycle bin. But the icon of the recylce bin doesn't change; it still shows it as if it contains deleted files although it contains none. (Note: When I delete files using "delete+shift", the "S-1-5-21-583907252-764733703-682003330-1005" does not appear inside Recycler.) 3) PandaCloudCleaner (but not Kaspersky or MalwareBytes) notifies me about a "Suspicious Policy". Here's this part of the log: REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[installerLauncher]. Value: InstallerLauncher To be deleted.Suspicious Policy. I don't know what's this. It is true that I have changed some Registry Values in order to show hidden and superhidden files (see my first post) -and some of which are considered also "suspicious policies" from PCC- but I didn't change this one for sure. That's a crazy behaviour, isn't it? I mean, everything seems to work properly, all three antivirus programs I have used (namely, MalwareBytes free, Kaspersky and PandaCloudCleaner) detect no virus/trojan/worm but the folder is still there like it has a life of its own. Any help would be appreciated. Of course, I can simply format my latpop and give an end to this madness; it's not that difficult as I have not many programs to re-install and after all I have spent much more trying to figure out what it going on. But I have to admit that I am a mad person too and I want to defeat this beast instead of succumbing to it. I am also very curious to discover what the hell is happening. Thanks, pq
  5. Hello again, I had no reply, so I guess nobody can figure out what is going on with this case; or nobody wants to reveal it without charge. In any case, let me add things I noticed. My laptop still behaves normally; no sign of Rotinom after one week, more or less. However, the "S-1-5-21-583907252-764733703-682003330-1005" folder is still there, despite my everyday's efforts to get rid of it. I keep deleting it every time I notice its presence and after a while it returns. Meanwhile, I have noticed some things: 1) The "S-1-5-21-583907252-764733703-682003330-1005" folder is considered to be a system folder; also, a "read only" and "hidden" one. The "hidden" attribute cannot be altered through "properties". I can change it though, through a program called "attribute changer" (the same program I used in order to change the "hidden" option of almost every folder contained in my contaminated external hard disc (see the P.S. of my first post) together with the "system" one. On the other hand, "attribute changer" doesn't show it as a "read only" folder although "properties" do! So if I want to change this attribute, I can only do it through properties; but even if I change it, pressing "apply" too, the next moment is again "read only". Also, even if I change all three attributes, I still cannot delete it using "delete", as a message "You cannot delete file. Close first all programs... etc." appears. I even tried to delete it with "cmd" but after typing "dir", it showed no directory.*** (I am not sure if I expressed this last one correctly since my computer jargon is not that good. My OS is Windows XP SP3.) So, I delete it using the "windirstat" program, as I have said. ***However, one time I managed to delete it by simply pressing delete -after changing "system", "hidden" and "read only" attributes- but I have no idea how that happened and I couldn't repeat it after. 2) I am 99% sure that during the last two days, "S-1-5-21-583907252-764733703-682003330-1005" appears inside Recycler ONLY after I delete files from any of my hard discs, internal or external ones. When I do that, it appears firstly in the Recycler folder of the hard disc whose files I deleted and then it "spreads" to the Recycler folders of the other hard discs, and it contains all the files I have deleted. After deleting it, it disapears together with its contents. Which contents disappear also from the recycle bin. But the icon of the recylce bin doesn't change; it still shows it as if it contains deleted files although it contains none. (Note: When I delete files using "delete+shift", the "S-1-5-21-583907252-764733703-682003330-1005" does not appear inside Recycler.) 3) PandaCloudCleaner (but not Kaspersky or MalwareBytes) notifies me about a "Suspicious Policy". Here's this part of the log: REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[installerLauncher]. Value: InstallerLauncher To be deleted.Suspicious Policy. I don't know what's this. It is true that I have changed some Registry Values in order to show hidden and superhidden files (see my first post) -and some of which are considered also "suspicious policies" from PCC- but I didn't change this one for sure. That's a crazy behaviour, isn't it? I mean, everything seems to work properly, all three antivirus programs I have used (namely, MalwareBytes free, Kaspersky and PandaCloudCleaner) detect no virus/trojan/worm but the folder is still there like it has a life of its own. Any help would be appreciated. Of course, I can simply format my latpop and give an end to this madness; it's not that difficult as I have not many programs to re-install and after all I have spent much more trying to figure out what it going on. But I have to admit that I am a mad person too and I want to defeat this beast instead of succumbing to it. I am also very curious to discover what the hell is happening. Thanks, pq
  6. Hello everybody, I have posted this one yesterday in Malwarebytes Anti-Malware Help, but I was advised this is the right place for it. So, I repost it here with some additional details. Thanks. I was recently infected by this beast, Rotinom, not really that dangerous but persistent enough. (Note: I had no Antivirus in my laptop when this happened.) To be brief, I managed to, seemingly, get rid of it by the combined help of Malwarebytes, Kasperksy and some online instructions I followed manually (e.g. adjusting some registry values in order to show super hidden folders.) However, the next time I switched my laptop on, I discovered in each one of the folders called "Recycler" -which exist in each one of the hard disks, built-in or external- a folder with the name "S-1-5-21-583907252-764733703-682003330-1005". Which, incidentally is the name of one of the folders Rotinom creates inside the Application Data folder after it has infected a pc. Since my laptop seemed to have no problem anymore, I thought it was just a leftover so I deleted it through a program called "Windirstat" -because it was impossible to accomplish this by simply pressing "delete", as a message "you cannot delete file. Close first all programs... etc." appeared every time I attempted it. (As a matter of fact, the only way I found to view "S-1-5-21-583907252-764733703-682003330-1005's" contents was through this program; which contents are: a folder called "files" which contains two files, "desktop.ini" and "INFO2" and a folder called "Dc2" with nothing in it.) Thinking that I managed to get rid of these too, after a while, I checked again Recycler and the folder was again there (again in every hard disk's Recycler folder). I deleted it again but to no avail. As I said, my laptop seems to work normally three days now, but the persistence of this folder makes me think that it is not entirely disinftected. Any idea as to whether I am still infected and to how I can send this folder permanently to the hell it belongs? P.S. Also, something that might be of help concerning this worm and its results. After MalwareBytes had finished the job, I rechecked both my C drive and the external hard-disc which was infected (and which was the source of the data Rotinom had transfered to my C drive, filling it to the top) and nothing was found. Then, I scanned them also with Kaspersky and PandaCloud Cleaner; nothing was found too. However, almost every folder of my external drive, including the one where all my data is stored, had been set to "hidden" by Rotinom and I could see them only after changing the related Registry Value. So, I tried to change this attribute manually but it was impossible, as I could not uncheck the "hidden" option. Finally, I found a program called "Attribute Changer" and only through this I managed to change the attribute and see my folders normally. In other words, both MawareBytes and Kaspersky didn't manage to detect and/or correct this damage caused by Rotinom.
  7. Hello everybody, So, I was recently infected by this beast, Rotinom, not really that dangerous but persistent enough. (Note: I had no Antivirus in my laptop when this happened.) To be brief, I managed to, seemingly, get rid of it by the combined help of Malwarebytes, Kasperksy and some online instructions I followed manually (e.g. adjusting some registry values in order to show super hidden folders). However, the next time I switched my laptop on, I discovered in each one of the folders called "Recycler" -which exist in each one of the hard disks, built-in or external- a folder with the name "S-1-5-21-583907252-764733703-682003330-1005". Which, incidentally is the name of one of the folders Rotinom creates inside the Application Data folder after it has infected a pc. Since my laptop seemed to have no problem anymore, I thought it was just a leftover so I deleted it through a program called "windirstat" -because it was impossible to accomplish it by simply pressing "delete", as a message "you cannot delete file. Close first all programs... etc." appeared every time I attempted it. (As a matter of fact, the only way I found to view this folder's contents was through this program. Which contents are: a folder called "files" which contains two files, "desktop.ini" and "INFO2" and a folder called "Dc2" with nothing in it.) Thinking that I managed to get rid of these too, after a while, I checked again Recycler and it was again there (again in every Recycler folder). I deleted it again but to no avail. As I said, my laptop seems to work normally two days now, but the persistence of this folder makes me think that it is not entirely disinftected. Any idea as to whether I am still infected and to how I can send this folder permanently to the hell it belongs?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.