homepage Welcome to WebmasterWorld Guest from 54.211.157.103
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Microsoft / Deprecated - Microsoft Windows OS (XP/NT/Vista)
Forum Library, Charter, Moderators: bill

Deprecated - Microsoft Windows OS (XP/NT/Vista) Forum

    
Removing files undetected by Windows
DXL




msg:1569617
 1:08 am on Apr 21, 2006 (gmt 0)

A virus on my PC created an .exe file that is collecting saved passwords and other data and sending it to someone (I know for a fact that my security has been compromised).

AVG lists the .exe file when doing a scan (it shows up as clean even though its a known trojan), but looking at the folder its supposed to be in through Windows 2000 (NT) doesn't show the file. I used a rootkit revealer program, it also detected nothing. How can I remove the file if Windows doesn't see it?

 

bill




msg:1569618
 1:54 am on Apr 21, 2006 (gmt 0)

If I had something like that on one of my systems I would be doing a complete reformat of my drives and reinstalling Windows from scratch. (Actually I'd just restore a clean backup image of Windows and all my software.) Who knows what else you might have in there.

However, your question was about how to delete this seemingly hidden file. Can you see the file in Safe Mode? How about via the DOS Window (Command Prompt)?

If you can't get at the file via those methods then you might want to look at booting from a CD and then zapping the file from there. BartPE or even a Linux CD like Knoppix will let you access your disk data without letting Windows boot at all.

DXL




msg:1569619
 3:29 am on Apr 21, 2006 (gmt 0)

I have a project that I wanted to complete tonight and was reluctant to reboot my PC into safe mode until I finished everything. I will definitely be rebooting in safe mode tonight, though.

How do I access DOS to see what's on my computer? What command line would I use to delete the bad file if I find it through DOS? I haven't used DOS in at least 10 years, I can't remember how to get to it, look for files or directories or delete them.

bill




msg:1569620
 5:13 am on Apr 21, 2006 (gmt 0)

Start ¦ Run... type cmd into the Open: window and click OK. That brings up the command line window. Change to the location where the file is using the CD (Change Directory) command. See if the file shows up there. To delete a file type DEL filename.ext.
Tastatura




msg:1569621
 5:35 am on Apr 21, 2006 (gmt 0)

I had similar issue. I used Windows live security scan and it detected ‘bad’ file, however it could not remove it. I tried browsing folder it was in , but it did not show up (in explorer). I tried searching for it and still got no result. However, when I looked for it using DOS window it showed up. I didn’t erase it right away, but manually searched registry for it, and removed all instances/references to it. I then deleted it using DOS prompt (same technique as bill described).

P.S. among others, useful tool to detect ‘unusual’ files is “HijackThis”

DXL




msg:1569622
 8:01 am on Apr 21, 2006 (gmt 0)

Unfortunately, the .exe file in question isn't showing up when I search using DOS. I'm also starting to notice that my PC is making running sounds when there aren't any programs being utilized, and nothing in the task manager seems out of the ordinary. My A: Drive tries to read a floppy disk every half hour or hour, even though there isn't a disk in there and I'm not running any programs while it happens.

I imagine someone is either remote accessing my PC or my computer is automatically trying to read and send info.

codeNirvana




msg:1569623
 9:57 am on Apr 27, 2006 (gmt 0)

Try
Start-->Run-->cmd.exe-->dir /AH to view list of all hidden files.
else-
tools-->folder options-->View-->select option(View HIdden files)

However, it would be wise to do a fresh install of the OS and update Anti-virus/Anti-Spyware definitions/patches. Use a firewall, spam filters on mail and use strong passwords.

Hope this helps you.

DXL




msg:1569624
 11:08 am on Apr 27, 2006 (gmt 0)

I've tried all the means of revealing hidden files. You simply can't see the .exe file in DOS or Windows. Its still on my PC, I never could get it removed. I'm going to have to back all my data up and reformat since none of the virus programs could remove the .exe file.

Grinler




msg:1569625
 4:10 am on May 17, 2006 (gmt 0)

Try F-Secure Blacklight... it may find it if rootkitrevealer does not.

Is your filesystem fat or ntfs on your c: drive?

Also what exactly is the filename that avg is reporting.

[edited by: bill at 4:16 am (utc) on May 17, 2006]
[edit reason] URL not necessary [/edit]

DXL




msg:1569626
 4:19 am on May 17, 2006 (gmt 0)

msoff.exe is the virus file. I don't know what fat or ntfs means with respect to my C drive.

bill




msg:1569627
 5:32 am on May 17, 2006 (gmt 0)

I don't know what fat or ntfs means with respect to my C drive.

Grinler is asking what the file system format of your C: drive is. MS has some info here: Overview of FAT, HPFS, and NTFS File Systems [support.microsoft.com] and here: NTFS vs. FAT: Which Is Right for You? [microsoft.com] among others...

Grinler




msg:1569628
 3:24 pm on May 17, 2006 (gmt 0)

Double click on the My Computer icon on your desktop and right click on the C: drive. Then click on properties and itwill tell you the type of filesystem it is.

If its fat, than you can download a bootdisk for xp or 6.22 and delete the file from the command prompt that opens. Do a google search for bootdisk.

If on the other hand you have ntfs, it will become more difficult.

Msoff.exe is a trojan that steals online banking information. So once we get this cleaned, you may want to change any online banking passwords you use.

First things first, download autoruns from sysinternals and run it. When it is started, click on the Logon tab. Now look through the entries (prob under one of the Run keys) and see if you have one that has the name Microsoft office with the image path of msoff.exe.

If it exists, right click on it and delete it. Reboot and see if you can now see the c:\windows\system32\msoff.exe file. I do not believe this particular infection uses rootkits to hide it, so we may be safe in that aspect.

I would give you direct links to these tools, but not sure how WebmasterWorld likes that.

DXL




msg:1569629
 11:40 pm on May 19, 2006 (gmt 0)

It appears I use ntfs. Also, on those programs you mentioned, sticky me the links if you can.

bill




msg:1569630
 12:14 am on May 20, 2006 (gmt 0)

OT:
sticky me the links if you can

Simply entering the names of those software packages in any major Search Engine will get you to the appropriate pages.

Grinler




msg:1569631
 3:59 am on May 20, 2006 (gmt 0)

Just google for these. Wont miss it.

Did you ever run blacklight btw?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Deprecated - Microsoft Windows OS (XP/NT/Vista)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved