Window\System32 Folder hidden from view

[Cisridn]

Has anyone ever experience malware that hides the system32 from view? I have set the folder options to show hidden files and unchecked the option for hide protected operating system files. But the folder still is hidden.

I am asking because I am working on a computer running WinXP Home that was connected to the internet(via broadband cable) w/o any AV protection or anything but the Windows Firewall. Needless to say the system severely infected(Trojans and adware). Continous popups. Not able to control the computer with the mouse or keyboard. Only able to shut down using the power button

So far I have been able to scan the computer thru the ethernet with McAfee A/V from my computer to remove some of the infections. Next I entered safe mode to do an online scan at ewido.net. ewido was not able to remove any of the infections. I then did a repair install of WinXP. This allowed me to regain control in normal mode. Installed Zone Alarm to control the IE from accessing the internet and displaying more popup ads. Installed Spybot Search and Destroy and AdAware SE.

Both Spybot and AdAware found malware in the Windows\System32\surfkill folder but could not remove it. Both were ran twice, once in normal mode and again in safe mode. I tried to navigate to the folder using Windows explorer but the folder is missing from view. I have never seen anything like this before.

I am not positive of the folder name 'surfkill' because I forgot to bring my notes I wrote down with me before I came to work. I am sure that 'surf' is part of the name.

When I get home I will post more details of the malware name and location.
Any feedback on how I should procede would be appreciated

[glc]

If I were working on that machine, at this point I'd be recommending a nuke and pave.

[Cisridn]

Quote:

Originally Posted by glc I'd be recommending a nuke and pave.

I like that phrase.

Yeah, I agree. I have been working on this one for the pass two nights. I told the person I would try one more night to remove the malware before doing that. The problem is that this is a emachine computer and the person lost their recovery CD. That means they will have to buy a new copy of XPHome, which is more money that they don't want to spend.

[glc]

By the time they buy a copy of XP and replacement software and pay your labor rates, they could buy a new PC.

[Panama Red]

Quote:

Originally Posted by Cisridn I like that phrase. That means they will have to buy a new copy of XPHome, which is more money that they don't want to spend.

Have you contacted emachines to obtain a new copy of the Recovery Disk? HP's replacements are about $20 with the frieght but I don't know about emachines.

[Cisridn]

Quote:

Originally Posted by Panama Red Have you contacted emachines to obtain a new copy of the Recovery Disk? HP's replacements are about $20 with the frieght but I don't know about emachines.

Thanks for the suggestion Panama Red, I did not think of contacting emachines for a replacement CD.

Quote:

Originally Posted by glc By the time they buy a copy of XP and replacement software and pay your labor rates, they could buy a new PC.

This is true, but I did warn the person about installing a good AV and firewall on their computer before putting the computer on a broadband connection about a month ago when I replaced the hard drive for them. Maybe now they will take me more seriously when I talk about how serious it is to protect their computer.

[SWTF]

Pre-installed environment.

You could pull out the folder in A43 file manager in a snap.

Or you could use the CMD prompt to remove the hidden status and then run your AV/AS/AM scans in the bootable environment.

Bart-PE would fix this one in under an hour.

As it is, you might look into Panama Red's suggestion on a replacement recovery CD. Also, the machine might just have a recovery partition if it is newer.

[Cisridn]

Quote:

Originally Posted by SWTF You could pull out the folder in A43 file manager in a snap. Bart-PE would fix this one in under an hour.

Thanks for the suggestion SWTF.
Can you explain more about A43 file manager and Bart-PE. Or provide a link to were I can get more information. I am not familiar with either one.

Thanks

I did check with eMachines and you can get a replacement Restore/Recovery CD. I was not able to get a price because you have to give the serial number,store the computer was purchase from and the date. I will have to find out what store and date the computer was purchased from.

[Cisridn]

Never mind the request SWTF.
I was able to find information about A43 file manager and Bart-PE.

[SWTF]

Sorry I wasn't able to check back sooner and explain... which I really should have done in the first place. Glad you managed to find some info though.

[Cisridn]

No Problem. Any tips that you have would be helpful.
I believe I have got the situation under control. I am still having a problem removing on a folder: c:\Windows\Program Files\surfsidekick 3
When I try to delete it I get an message telling me the files cannot be accessed because it is in use by another program.
I think if I can remove this folder and the files in it I will stop getting the popup ads.

[glc]

You can try using MoveOnBoot.

http://www.snapfiles.com/get/moveonboot.html

[Cisridn]

Thanks for the Link GLC.

To update the situation. After scanning the infected computer many times with A\V, spybot, Ad Aware SE. It appears that all malware infection have been removed or at least tamed. I slaved the hard drive in my system to remove the surfsidekick folder and scan again.
Currently reinstalling SP2.
Only thing left to do is remove rundll error message that pops up after windows finishes loading.

BTW I did attrib -a -h -r -s for the system32 folder to get it to reappear.

Thanks everyone for there suggestions and tips.

[SWTF]

MoveOnBoot is another good solution.

The attrib -a-h-r-s is what I'd have done with CMD in Bart-PE if A43 couldn't rip it out. Good work handling that infection. You're a pro!

[Cisridn]

I believe I spoke to soon when I said it appears that the malware has been removed or at least tamed. SP2 install failed and now I can't get to the Windows Update website.

You will have to hold off on my Pro status for now SWTF.

Other than that the system is running good. Does anyone have any ideas what is causing the Windows Update site not to load? I have tried a few steps that I found on microsoft support site but nothing has worked yet.

[Cisridn]

My client decided to find their restore CD for the infected computer. After all the time and effort. This works out, because I was not able to get Windows Update to work anymore. I took that as a sign that the computer was still infected with some kind of malware. Since I have the restore/recovery CD I will do a low-level format of the hard drive and start out fresh.

I guess that's how things goes sometimes. I am just thankful that I was reimbursed for my time and effort.

Thanks again for everybody's input and suggestions.