Jump to content
wappu

Virus Renaming My .EXE Files And Hiding Them

Recommended Posts

I got a virus that renames .exe files by adding "g" to them (example: gfirefox.exe). Not just that it hides the .exe files, so they don't appear when i searched them. It's ruining a lot of my files so please help....

Share this post


Link to post
Share on other sites
Hello JurajT and welcome to Malwarebytes,

Download the following program to your desktop:

Unhide tool

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Please be patient as this may take several minutes to run, it will scan and fix all Hard drives on your system. You will see a new window with the drive being processed, typically C:\ as below:

user posted image

Changing as the next drive is processed as below, (if required):

user posted image

You will get a success alert at the end.

user posted image

Re-boot and see if your files are present.

Next,

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

Share this post


Link to post
Share on other sites

Hey Kevin.... Thank you so much for your reply, and sorry for the late reply... i'm doing what you've told me right now... i'll report any progress as soon as it's done...

Share this post


Link to post
Share on other sites

i've done what you said, but some of my .exe files are still "infected"? i can only run the program (example : After Effects) if i change the shortcut to "gAfterFX.exe", if i do that the program runs normally (only the name of the file changes). But i'm afraid that if i do that, it will infect my other files. And also i received more Windows defender notifications saying that it detected a virus named "Grenam.A"

Capture.PNG

Capture2.PNG

AdwCleaner[C00].txt unhide.txt Addition.txt FRST.txt

Share this post


Link to post
Share on other sites
4 minutes ago, wappu said:

i've done what you said, but some of my .exe files are still "infected"? i can only run the program (example : After Effects) if i change the shortcut to "gAfterFX.exe", if i do that the program runs normally (only the name of the file changes). But i'm afraid that if i do that, it will infect my other files. And also i received more Windows defender notifications saying that it detected a virus named "Grenam.A"

Capture.PNG

Capture2.PNG

AdwCleaner[C00].txt 1.71 kB · 0 downloads unhide.txt 2.48 kB · 0 downloads Addition.txt 72.31 kB · 0 downloads FRST.txt 75.37 kB · 0 downloads

and also the "gAfterFX.exe" files are actually hidden, it's nowhere to be find when i clicked open file location in the shortcut properties

Share this post


Link to post
Share on other sites

Hello wappu,

Continue with the following please:

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Choose file button
  • Navigate to the file C:\ginstall.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

g*.exe

Click Search Files button and post the log (Search.txt) it makes to your reply.

user posted image

Thanks,

Kevin

Share this post


Link to post
Share on other sites

 

26 minutes ago, kevinf80 said:

Hello wappu,

Continue with the following please:

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Choose file button
  • Navigate to the file C:\ginstall.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

g*.exe

Click Search Files button and post the log (Search.txt) it makes to your reply.

user posted image

Thanks,

Kevin

i can't find c:\ginstall.exe

and what should i do when the g*.exe files are found?

Share this post


Link to post
Share on other sites

i've done the search, it seems like FRST can find the infected (?) files but i can't find the files in explorer to upload to Virus Total.

and thank you so much for your help by the way... i was so scared about virus removing my programs

Search.txt

Share this post


Link to post
Share on other sites

Hello again wappu,

Wow, that search is showing the entries with the added "g" very strange, never came across this issue before.. Do the following please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg


Thanks,

Kevin..

 

 

 

 

 

 

 

 

 

 

 

 

 

 

fixlist.txt

Share this post


Link to post
Share on other sites
1 hour ago, kevinf80 said:

Hello again wappu,

Wow, that search is showing the entries with the added "g" very strange, never came across this issue before.. Do the following please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg


Thanks,

Kevin..

 

 

 

 

 

 

 

 

 

 

 

 

 

 

fixlist.txt 104 B · 2 downloads

i've ran the FRST fix and posted the fixlog.txt, what's the next step?

Fixlog.txt

Share this post


Link to post
Share on other sites

Hello wappu,

Am out until about 8pm UK time, will get back to you then.

The files with g added are super hidden, we can sort that out tonight..

Kevin

 

 

Share this post


Link to post
Share on other sites
17 minutes ago, kevinf80 said:

Hello wappu,

Am out until about 8pm UK time, will get back to you then.

The files with g added are super hidden, we can sort that out tonight..

Kevin

 

 

okay... thankyou so much for your help...

Share this post


Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg

 

fixlist.txt

Share this post


Link to post
Share on other sites
1 hour ago, kevinf80 said:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg

 

fixlist.txt 40.01 kB · 3 downloads

hey kevin... the fixlist.txt will rename my files right? The files' names will be back to normal, but will it act as a virus? or will it be okay if i run those files? Sorry if i'm asking too many questiona, i'm just scared that if i run those files the virus will replicate again...

Share this post


Link to post
Share on other sites

The fix is to remove the super hidden attributes and rename the files. I do not believe these files are actually infected, it would seem Windows Defender found that issue, I assume it was removed...

If you are unsure of running the fix maybe we should make full registry backup first... I`ll add that option to the fix and attach again to this reply..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg


Thanks,

Kevin...

fixlist.txt

Share this post


Link to post
Share on other sites

I did the fix, but nothing seemed to happen 🤣.... I wonder what i did wrong... can you tell by reading the log?

Fixlog.txt

Share this post


Link to post
Share on other sites

Hello wappu,

You did nothing wrong, the fix is not set correctly. Try once more, this time I`ve shortened back the fix..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg

Thanks,

Kevin..

fixlist.txt

Share this post


Link to post
Share on other sites
On 9/13/2019 at 4:37 PM, kevinf80 said:

Hello wappu,

Am out until about 8pm UK time, will get back to you then.

The files with g added are super hiden, we can sort that out tonight..

Kevin

 

 

Hi kevin... sorry for the late respond, i did some searching on google, and i found a relation between the windows defender scan result, and the file renaming problem...

So the virus "Grenam.A" is actually a virus that hides some .exe files and replaces it with "g" added file, hence the name Grenam.A (G rename). The virus file name however is "Ground.exe" and malwarebytes successfully removed it.

But the g added .exe file replacements are also dangerous, they can replicate themselves by infecting other files, these replacement files are the ones that malwarebytes cannot detect, Windows Defender can detect and quarantine the files, but it can't restore the replaced files.

In the article that i read, theres an antivirus from my country called "Smadav" that can detect, quarantine, and restore the files. So maybe i can try the antivirus, what do you think?

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.