Jump to content

Windows Directories Messed up After Malware


GPathi
 Share

Go to solution Solved by Maurice Naggar,

Recommended Posts

All of my directories are messed up completely. In my windows directory I have thousands upon thousands of random png and jpg files that are not in a folder or anything.There was even a few audio files adn when I played them they were sounds from some of the gamers that I had installed on my computer. I also had tons and tons of files and pictures from games that I play. I dont want to just mass delete everything since I may then actaully delete something needed fro windows to operate and brick my windows installation. Also I currently cannot take screenshots since my screenshots folder is completely gone. Its not even in the windows registry when I went to restore it. The key does not exist. It was not here HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders where it should be located at. I really dont know what to do. It aslo deleted all of my malwarerbytes history so I cannot provide malware information. Also before I fixed all the malware ALL of my data was completely gone. I had to restore the data, and then the directories got messed up after all of this. Can someone please help me?

Link to post
Share on other sites

Hello.  :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.   

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  

Let me know whether you recently installed some free app or add-on.   Let me know if perhaps you visited some dodgy website.

Tell me, What significant thing had happened or been done just before all this 'situation' started.   What, when, where, how ?


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

Edited by Maurice Naggar
Link to post
Share on other sites

Yup thanks Maurice for helping me with this. Im not really sure what happened. Heres what I remembered. I was jsut playing some video games on the pc and it shut down because it died. I wasn't able to charge my laptop but leaving it off while connected for a night seemed to charge it. And when I logged in there was NOTHING on my laptop. It was wiped clean except for items on my desktop. Those were randomly still there. Also all of my preferences were gone. My laptop didnt let me run norton or malwarebytes. A restart provided effective in letting my start these up. I ran both Norton and Malwarbytes. Both picked up some malware and I successfully removed it. But none of my files were there. I decided to boot my pc into safe mode and restart and tha ended up bringing my files back suprisingly. However they were put into really random places like my os folder. I sadly didnt have a backup of my laptop. Also I remember that it was something related to a minecraft mod download. Sadly my Norton didnt pick it up immediatly. Also im really confused because ALL of the files lost were in the os foldert and they were all placed there at the exact same date and time. Haven't found anything online about any type of malware doing this. This is a Dell Inspiron 7386. Core i5 8265u. Here is the file. Thanks for helping Maurice!

mbst-grab-results.zip

Link to post
Share on other sites

Hello.  Thanks for the report.  This Windows has been up for more than 2 days.  First thing, please do one Windows RESTART  and then wait for the system to finish loading and let it settle in.

The next thing is to get the Malwarebytes for Windows fully up-to-date to the very latest Version 4.2.3.   But first, some preparation.

Windows File Explorer needs to be  set to show ALL folders, all system files, etc including hidden files / folders

Open Windows File Explorer.

Select View from its top menu bar > click Options on the icon at the far right-side > Change folder and search options ( from the drop down ).

  • on the next multi-tab mini-window
  • Select the View tab and, in Advanced settings,
  • select Show hidden files, folders, and drives
  • and OK.

.

[     2     ]

 

The Malwarebytes for Windows version is a bit old.  Lets have you get updated to the very latest.

 The current release version is 4.2.3.96.  All program upgrades are at no charge.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Now, click the tab marked GENERAL.   Look for the button marked "Check for Updates" and click it.  Be sure to follow all prompts.  Lets be sure it is up-to-date.

That will hopefully insure that the program has the very latest Component Update.

[    3     ]

 

In Malwarebytes , we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color

.

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg

 

 

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg
 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more later.

The Farbar FRST report did not show a obvious infection.  It does show a Microsoft Windows Update fail error 0x80073d02

Later, we can attempt to address that, along with suggesting to you to update Windows 10 to the Microsoft Windows 20H2 October 2020 updated Version.

By the way, on the history-story 

Quote

when I logged in there was NOTHING on my laptop.

That can very well have been one occasion of one Reboot that the system was not able to login with the regular login-account & that, then the system was in a Temporary login-profile.  That can happen to anybody.  It is always a good idea to watch close when Windows starts up & be sure which account is the one logged in.

.

This Windows installation has two ( 2 ) user created Administrator accounts.  Be real sure you track which one is in use.  And remember, each logon account has itw own unique ( different ) Desktop  and user-environment folders.

Edited by Maurice Naggar
Link to post
Share on other sites

Hey thanks for replying! There where no results after I did that scan. I also ran Norton and still nothing. My question is if that malware did this or something else. Also here is another problem im having. Alot of times windows wont let me open jpg. files. I can initially open them and then when I move it to any other location windows then says "Sorry, this is a format we don't support." Im not sure why all of my files got moved to my os folder which is protected. Never seen anythjing like this. Before all of the files went missing this is what I can remember. The malware was a trojan. Did I mention that all of the files and stuff got moved to he os folder on the same day. Also when I open pop-up windows like a java installer, my backround changes from a custom backround to a defualt all black backround.

Link to post
Share on other sites

Lets take a few minutes and run this special tool by Malwarebytes.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

Link to post
Share on other sites

The MBAR found a Trojan.Downloader  in the folder C:\Program Files\WinRAR  

It needed a Windows Restart to finish the removal.   Be sure that you have done one Windows RESTART.

.

The next time you reply, let me know just what folder you mean  ( full path) when you said 

Quote

Im not sure why all of my files got moved to my os folder 

and,  I also would like this other special report for review.   Just know that after that we will run some other scans on this system.

( one of the things I think may have happened, is that Windows has lost a setting that is used for handling image-type files. )

Lets see about getting a different diagnostic report, please.   There is a report tool named OTL , Oldtimer's ListIt

⦁    Please download OTL from this this link
⦁    Save it to your desktop. 

Now use File Explore to the Desktop
⦁    RIGHT click on the   OTL  on your desktop  & select 'RUN as Administrator'  and select YES  & let it proceed forward. 
⦁    Reply YES when prompted by Windows whether to allow it to Run 
⦁    Click the "Scan All Users" checkbox. 
⦁    Push the  "Run Scan"     button. 
⦁    Please have Lots of Patience as this report my well take several minutes.  Let it run. 
⦁    Two reports will open, please Attach the 2 files with your Reply: 
⦁    OTL.txt <-- Will be opened 
⦁    Extra.txt <-- Will be minimized 

 

Link to post
Share on other sites

6 hours ago, GPathi said:

IM going to rerun it and change the time to be longer because the incident occurred a little over two months ago. Here is the current report for 30 days though.

I had no idea that the situation went that far back !   Two months is a long span of time.

But you should know that the OTL tool run was just a report run.  It does not make changes.  That said, if there is a prompt to restart the system, then go ahead and do so.   I will make a new reply once after I have digested / read thru these OTL reports.

added NOTE

Tell me just what folders you refer to.   What kind of files and just where.

let me know just what folder you mean  ( full path) when you said 

Quote

Im not sure why all of my files got moved to my os folder 

 

Edited by Maurice Naggar
added notes
Link to post
Share on other sites

More questions:   I see a lot of 'autoformfill'  & 'autopilot' javascript files in the root of the C drive.   Tell me, are you a Windows programmer / Microsoft Office Access developer ?

 

This system has NortonSecurity version 22.20.5.39  by NortonLifelock / Symantec.   When was the last antivirus scan with it ?

I do not see a sign of a obvious infection after looking at the OTL reports.

At your next opportunity, I have listed 2 different scans to be done.  Do them both & post your reports after all are completed.

[    1      ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

On the scan Options,  select FULL scan.   Have lots of patience till it finishes.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

[    2    ]

I would suggest that you do a scan with a scan tool from ESET  to just only scan the C drive.
Go to https://www.eset.com/us/home/online-scanner/

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Custom scan    ( the choice on far-right side)

We want just the C drive to be scanned.

In the display "Select custom scan targets"  keep the top 3 lines ticked,  plus the one for the C drive   ( which should be your Windows drive)

UN-tick the other drives   ( D, E, F,   etc...)

Then click on the blue button "Save and continue"


Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.  Look for it on the bottom left, in blue.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

The goal here is to see if there are suspicious or actual threats on the C drive.    Please attach the scan-log with your next reply

.

We can do more later, as needed.

Sincerely,

Maurice

Edited by Maurice Naggar
Link to post
Share on other sites

Ill restart my computer after I run the OTL again since it failed to run when I ran it for the 180 day scan so im just waiting for that to complete. Here is where all the random files went to. It went to C:\. So now there are thousand and thousand of media files like jpg., png., bmp., ogg., zip files. Also there are lots of random other things in the C:\. Just so you know I am not a Windows developer in any way. I just have lots of javascript files on my computer because I occisionally play minecraft and I download some javascript modifications. However I do not know what autoformfill and autopilot is. Like I said lots of thing got moved to the C:\. I also run Norton almost every two days. Just for your knowledge I don't really know how something could have slipped through since I literally scan every file I download with Norton + Mlawarebytes. And when it is a zipped file I extract the contents and then scan it. I will attach all of the files in the next comment. So ill attach OTL, MSERT & ESET Online Scanner.

Link to post
Share on other sites

This is really confusing because I just left my computer on doing the scans and it went on sleep mode. So when I turned it back on with the keyboard the logon screen was just a blue screen. No background. And then when I logged on to my account there is only a message that says “The recycle bin on C:\is corrupted. Do you want to empty the recycle bin for this drive?” I haven’t clicked anything because I’m not really sure what to do. I would rather wait for you to reply so I can get a safe answer. Also sorry for the really bad quality picture. Didn’t have anything better to take it with.

 

032CDDCB-34D8-48ED-ABD1-8F30E9159649.jpeg

5EBFB898-7082-4668-8F98-3209A973C74C.jpeg

Link to post
Share on other sites

The Microsoft Safety Scanner found zero infections.  The ESET scan also found no infection. I would like to run one other scan to check the system again for potential malware.  

Run a new scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Let it remove what it has detected, if anything. 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[   NEXT   ]

[     2         ]

This procedure will use the Windows System File Checker tool  ( SFC ).

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

Quote

sfc /scannow

press Enter to proceed.   Let me know the bottom line message when it has finished.

 

Link to post
Share on other sites

Yeap the sfc was good it didnt detect anything. Im still running the the dism.exe /online /cleanup-image /restorehealth because I know that can also fix some things up. Now that I know the mlaware on my computer is gone can you try to help  me get all of the random stuff in the C:\ moved to the correct location because none of this stuff happened before that malware came in.

 

Link to post
Share on other sites

The DISM can correct limited aspects of the Windows installation....if there is something to actually 'correct'.   One thing that is apparent though, is, that there is no infection, no malware here at this point.

On the latter point, the random stuff, specially at the root of the C drive ...I can provide you a custom script to delete javasript files & other files that do not belong there. {the root directory of the main partition on your computer is  C:\  }

I have to say, it is not clear to me, what if anything you mean other that the actual "root" of the C drive.  If there is a specific folder that you are looking at, which one is it ??

By the way,  I will need to know the bottom line result of the DISM run when it has finished.

Link to post
Share on other sites

The dism.exe operation was good. It didn't find any corrupted files. No. Im not talking about the javascript files. Im talking about the thousands of pictures that I just have spewed throughout C:\. Also my screenshots folder is completely gone. Like its not even registered in the registry. Ill take a picture of what my C:\ looks like. All fo those extra files are eating away storage on my device. Hopefully these will show you what my problem was. I also have tons of DLL files which are not in any folder. Perhaps we can set up a Teamviewer or something so that you can see what it looks like. This entire messed up area makes it really confusing to download stuff to folder or to move items to a specific folder. Some of the photos will be in the zip file.

Images.zip

Link to post
Share on other sites

All those odd files are in the root of the C drive.

About image img_5012  all those @*.....PNG  files do not belong there, AND they are very odd files that start with @

These do not belong there or anywhere, and should be deleted.

Same with img_5013   all those image-type files [00xxxx]

same with img_5014  all those lxxxx.dll files

same with img_5015  all those lync***.wav   lync***.wma  same 

Same with lync***.png  & any **dll in the root  &   any HTML files  & any *.xbf files     & any zh-*.*  files

All those files do not belong in the root.  and they are not a part of the Windows operating system.

It looks to me as if some oddity happened on the 6th of September  ( the date on all these), maybe from a stray download or a glitchy download or something.

These will all be cleaned up by the following custom script in conjunction with the use of FRST.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.

.

This custom script is for  GPathi  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.