Jump to content

Recommended Posts

Hello everybody,

 

So, I was recently infected by this beast, Rotinom, not really that dangerous but persistent enough. (Note: I had no Antivirus in my laptop when this happened.) To be brief, I managed to, seemingly, get rid of it by the combined help of Malwarebytes, Kasperksy and some online instructions I followed manually (e.g. adjusting some registry values in order to show super hidden folders). However, the next time I switched my laptop on, I discovered in each one of the folders called "Recycler" -which exist in each one of the hard disks, built-in or external- a folder with the name "S-1-5-21-583907252-764733703-682003330-1005". Which, incidentally is the name of one of the folders Rotinom creates inside the Application Data folder after it has infected a pc. Since my laptop seemed to have no problem anymore, I thought it was just a leftover so I deleted it through a program called "windirstat" -because it was impossible to accomplish it by simply pressing "delete", as a message "you cannot delete file. Close first all programs... etc." appeared every time I attempted it. (As a matter of fact, the only way I found to view this folder's contents was through this program. Which contents are: a folder called "files" which contains two files, "desktop.ini" and "INFO2" and a folder called "Dc2" with nothing in it.) Thinking that I managed to get rid of these too, after a while, I checked again Recycler and it was again there (again in every Recycler folder). I deleted it again but to no avail. As I said, my laptop seems to work normally two days now, but the persistence of this folder makes me think that it is not entirely disinftected. Any idea as to whether I am still infected and to how I can send this folder permanently to the hell it belongs?

Link to post
Share on other sites

Hello and Welcome to Malwarebytes

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

P.S. Also, something that might be of help concerning this worm and its aftermath. After MalwareBytes had finished the job, I rechecked both my C drive and the external hard-disc which was infected (and which was the source of the data Rotinom had transfered to my C drive, filling it to the top) and nothing was found. Then, I scanned them also with Kaspersky and PandaCloud Cleaner; nothing was found too. However, almost every folder of my external drive, including the one where all my data is stored, had been set to "hidden" by Rotinom and I could see them only after changing the related Registry Value. So, I tried to change this attribute manually but it was impossible, as I could not uncheck the "hidden" option. Finally, I found a program called "Attribute Changer" and only through this I managed to change the attribute and see my folders normally. In other words, both MawareBytes and Kaspersky didn't manage to detect and/or correct this damage caused by Rotinom.

 

Hello again,

I posted this in Malware Removal forum, where I have tranfered my original post, but since this one has more views, I duplicate it here too.

 

I had no reply, so I guess nobody can figure out what is going on with this case; or nobody wants to reveal it without charge. In any case, let me add some things I noticed. My laptop still behaves normally; no sign of Rotinom after one week, more or less. However, the "S-1-5-21-583907252-764733703-682003330-1005" folder is still there, despite my everyday's efforts to get rid of it. I keep deleting it every time I notice its presence and after a while it returns. Meanwhile, I have noticed some things:

1) The "S-1-5-21-583907252-764733703-682003330-1005" folder is considered to be a system folder; also, a "read only" and "hidden" one. The "hidden" attribute cannot be altered through "properties". I can change it though, through a program called "attribute changer" (the same program I used in order to change the "hidden" option of almost every folder contained in my contaminated external hard disc (see the P.S. of my first post) together with the "system" one. On the other hand, "attribute changer" doesn't show it as a "read only" folder although "properties" do! So if I want to change this attribute, I can only do it through properties; but even if I change it, pressing "apply" too, the next moment is again "read only". Also, even if I change all three attributes, I still cannot delete it using "delete", as a message "You cannot delete file. Close first all programs... etc." appears. I even tried to delete it with "cmd" but after typing "dir", it showed no directory.*** (I am not sure if I expressed this last one correctly since my computer jargon is not that good. My OS is Windows XP SP3.) So, I delete it using the "windirstat" program, as I have said.

***However, one time I managed to delete it by simply pressing delete -after changing "system", "hidden" and "read only" attributes- but I have no idea how that happened and I couldn't repeat it after.

2) I am 99% sure that during the last two days, "S-1-5-21-583907252-764733703-682003330-1005" appears inside Recycler ONLY after I delete files from any of my hard discs, internal or external ones. When I do that, it appears firstly in the Recycler folder of the hard disc whose files I deleted and then it "spreads" to the Recycler folders of the other hard discs, and it contains all the files I have deleted. After deleting it, it disapears together with its contents. Which contents disappear also from the recycle bin. But the icon of the recylce bin doesn't change; it still shows it as if it contains deleted files although it contains none. (Note: When I delete files using "delete+shift", the "S-1-5-21-583907252-764733703-682003330-1005" does not appear inside Recycler.)

3) PandaCloudCleaner (but not Kaspersky or MalwareBytes) notifies me about a "Suspicious Policy". Here's this part of the log:

REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[installerLauncher]. Value: InstallerLauncher To be deleted.Suspicious Policy.

I don't know what's this. It is true that I have changed some Registry Values in order to show hidden and superhidden files (see my first post) -and some of which are considered also "suspicious policies" from PCC- but I didn't change this one for sure.

That's a crazy behaviour, isn't it? I mean, everything seems to work properly, all three antivirus programs I have used (namely, MalwareBytes free, Kaspersky and PandaCloudCleaner) detect no virus/trojan/worm but the folder is still there like it has a life of its own. Any help would be appreciated. Of course, I can simply format my latpop and give an end to this madness; it's not that difficult as I have not many programs to re-install and after all I have spent much more  trying to figure out what it going on. But I have to admit that I am a mad person too and I want to defeat this beast instead of succumbing to it. I am also very curious to discover what the hell is happening.

Thanks,

pq

Link to post
Share on other sites

Thanks for the info, however being that you are infected you need to stay with the Malware Removal forum for help with getting cleaned up HERE.  No one will be able to assist you here in this section even if it has more views.

 

Only trained personal can help you with malware removal and even they are not allowed to help you in this section.

 

Please wait until someone picks up your topic HERE in the Malware removal section. Do not reply or bump to that topic until someone is helping you, because it will only prolong your being assisted.

Link to post
Share on other sites

To whom it may concern...

 

... and Hello Firefox.

 

No, I am not still infected. Rotinom creates a new folder by the name S-1-5 etc. inside User/Local Settings/Application Data where it places a copy of itself. This folder was erased after disinfection. Then, by chance I discovered one with the same name inside Recycler and I was alarmed because of the name. Since I didn't know there is a normal Windows' system folder by that name, I was afraid I was not properly disinfected. I was more concerned after I saw I could not get rid of it, although I could temporarily delete it -firstly with the assistance of WinDirStat program and then by "shift+delete". As it seems, no specialist here or in MalwareBytes forum knew that S-1-5 etc. is a normal windows folder so as to appease me, so I kept investigating the matter until someone -not a technician- told me S-1-5 etc. exists in various places inside Windows, so the mystery was solved. I could not permanently delete the folder because it was a Windows System one.

Link to post
Share on other sites

hellevene, thanks for the added into, but unless one reviews logs, and looks at the folder/files directly its hard to tell if it is a legitimate system folder or not. Malware has been known to have file names the same as system files/folders in order to disguise itself. Its totally up to you if you want to seek the needed help.

Link to post
Share on other sites

Thanks too, Firefox. Yes, I never said I was forced to take any decision I didn't want to. However, I was kinda surprised by the fact that no technician knew (or tell) that there is a folder by the name S-1-5 etc. inside the Recycler, while a user of medium -he never claimed othewise- knowledge did and said it to me -in another forum. So, having in mind that this is a mainly a forum, I thought it good to comment about it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.