Persistent Virus Hiding in Hidden Directory -rmdir Access Denied [Solved]

Ask a question soss - Last answered on Mar 4, 2017 at 11:59 PM by sosss

Downloaded something from github, and appear to have a virus. It's pretty persistent, and didn't get picked up by malwarebytes.

I've managed to find the location of the file and program, but fail to delete it permanently. The directory is 100% accessible, but invisible and looks empty.If you right click it, it'll show it has 1 file at 900kb's.

rmdir gives me "Access Denied."
I've set search options to "Show hidden files and folders", yet it still fails to show.
I've changed permissions.

Any help is appreciated. I want to get this off my machine asap.

plus moins
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag :
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5 Click on scan
Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from tinyupload and paste it here in your reply.

CCM Moderator and Virus/Security Contributor
Leave a comment
plus moins
Ambucias 44756Posts Monday February 1, 2010Registration date ModeratorStatus September 22, 2017 Last seen - Mar 4, 2017 at 05:32 PM
Thanks, hold on
Leave a comment
plus moins

You are in big trouble !

There is no antivirus protecting your system. Should you continue to browse on the web without an antivirus you will ruin your operating system.

There three malware on you system now.

To remove them.

1. Download ZHPFix here

2. Select and copy all of the following bold lines.

Script ZHPFix
3 - CFD: 06/02/2017 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ VPN
C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage
C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal

3 Close all applications and open ZHP Fix
4. Click on the Import button and the lines will automatically paste themselves.
5. Click on the Go button to clean
6. Confirm by clicking OK
7. ZHP Fix will ask if you wish to empty the bin, click on your may take time
8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.
Leave a comment
plus moins
I haven't used a AV in years now. I rarely download from unknown sources. I'll eventually learn my lesson, but I honestly don't mind formatting my HDD if I really had to XD

Here's the report;

Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by George at 3/4/2017 4:33:02 PM
High Elevated Privileges : OK
Windows 7 Ultimate Edition, 64-bit Service Pack 1 (Build 7601)

Recycle Bin emptied (01mn AMs)
Prefetcher emptied

========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES: FirewallRaz (Domain) : {7A86B23A-154E-4982-801E-144DE83EEFE1}
REMOVES: FirewallRaz (Domain) : {EA12E68D-E988-42E4-9DE0-505C9BCAECE3}
REMOVES: FirewallRaz (Private) : {5EB33F13-F06C-4B0D-BF37-82780577612C}
REMOVES: FirewallRaz (Private) : {281C3405-2552-4BB3-BE22-B310D5A26874}
REMOVES: FirewallRaz (Private) : TCP Query User{9B580144-7B83-4B96-889C-2603DAE9B197}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
REMOVES: FirewallRaz (Private) : UDP Query User{50B6A797-8796-4B76-82E5-09EC18745DF1}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
REMOVES: FirewallRaz (Private) : {3AB876C9-3554-471C-8158-5B2E7C94E6BA}
REMOVES: FirewallRaz (Private) : {42D6B01F-8346-4B8C-A32F-2AA1CF75F0A3}
REMOVES: FirewallRaz (Private) : TCP Query User{6B5E8F6B-BE2E-4A3A-8478-7E2FCAA1F9C8}C:\users\george\desktop\superswag bot\phantomjs.exe
REMOVES: FirewallRaz (Private) : UDP Query User{C79F0C3F-3539-4C89-BABB-F87F308D86E1}C:\users\george\desktop\superswag bot\phantomjs.exe

========== Folders ==========
Deletes temporary Windows (12)
REMOVES Flash Cookies (0)

========== Files ==========
Deletes temporary Windows (505) (487,840,748 octets)
REMOVES Flash Cookies (0) (0 octets)

========== Other ==========
NON-TREATY 3 - CFD: 06/02/2017 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ VPN

========== Summary ==========
12 : Registry values
2 : Folders
2 : Files
1 : Other

End of clean in 03mn AMs

========== Path to file report ==========
C:\Users\George\AppData\Roaming\ZHP\ZHPFix[R1].txt - 3/4/2017 4:33:04 PM [1994]
soss- Mar 4, 2017 at 07:35 PM
This is soss btw. Had autofill for my name.
Leave a comment
plus moins
Problem has been fixed.

HKLM\...\RunOnce: [GoogleWebUpdater] => cmd /c "start "GoogleWebUpdater" "C:\Program Files (x86)\Client\GoogleWebUpdater.exe"
C:\Program Files (x86)\Client
HKU\S-1-5-21-4232678915-1373507776-2741593813-1000\...\Winlogon: [Shell] explorer.exe,"C:\Windows\system32\GoogleWebUpdaters.exe" <==== ATTENTION
Google Update Helper (x32 Version: - Google Inc.) Hidden
AlternateDataStreams: C:\Users\George:Heroes & Generals [38]
CMD: ipconfig /flushDNS
Leave a comment

Member requests are more likely to be responded to.

Members can monitor the statuses of their requests from their account pages.

A CCM membership gives you access to additional options.

Not a member yet?

Sign up now. It takes less than a minute and is completely free!