Persistent Virus Hiding in Hidden Directory -rmdir Access Denied
Solved/Closed
Related:
- Persistent Virus Hiding in Hidden Directory -rmdir Access Denied
- Ms access download - Download - Databases
- Phpmyadmin access denied - Guide
- How to see hidden stories on instagram - Guide
- Goose virus - Download - Other
- Attrib access denied ✓ - Viruses & Security Forum
5 responses
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,171
Mar 4, 2017 at 04:59 PM
Mar 4, 2017 at 04:59 PM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.
1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button
2. Save the file on your Desktop.
3. Double click on ZHPDiag.exe and follow the installation instructions.
(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)
4. Double click on the short cut ZHPDiag on your Destktop.
5 Click on scan
Wait for the tool to finished (maybe a long time)
6. Close ZHPDiag.
7. To transmit the report, click on this link :
http://www.tinyupload.com/index.php
8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from tinyupload and paste it here in your reply.
Ambucias
CCM Moderator and Virus/Security Contributor
1. Open this link and download ZHPDiag :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button
2. Save the file on your Desktop.
3. Double click on ZHPDiag.exe and follow the installation instructions.
(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)
4. Double click on the short cut ZHPDiag on your Destktop.
5 Click on scan
Wait for the tool to finished (maybe a long time)
6. Close ZHPDiag.
7. To transmit the report, click on this link :
http://www.tinyupload.com/index.php
8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from tinyupload and paste it here in your reply.
Ambucias
CCM Moderator and Virus/Security Contributor
http://s000.tinyupload.com/index.php?file_id=97525784931422757594
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,171
Mar 4, 2017 at 05:32 PM
Mar 4, 2017 at 05:32 PM
Thanks, hold on
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,171
Mar 4, 2017 at 05:41 PM
Mar 4, 2017 at 05:41 PM
Hi
You are in big trouble !
There is no antivirus protecting your system. Should you continue to browse on the web without an antivirus you will ruin your operating system.
There three malware on you system now.
To remove them.
1. Download ZHPFix here
https://nicolascoolman.eu
2. Select and copy all of the following bold lines.
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
3 - CFD: 06/02/2017 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hide.me VPN
C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage
C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal
3 Close all applications and open ZHP Fix
4. Click on the Import button and the lines will automatically paste themselves.
5. Click on the Go button to clean
6. Confirm by clicking OK
7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time
8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.
You are in big trouble !
There is no antivirus protecting your system. Should you continue to browse on the web without an antivirus you will ruin your operating system.
There three malware on you system now.
To remove them.
1. Download ZHPFix here
https://nicolascoolman.eu
2. Select and copy all of the following bold lines.
Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
3 - CFD: 06/02/2017 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hide.me VPN
C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage
C:\Users\George\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal
3 Close all applications and open ZHP Fix
4. Click on the Import button and the lines will automatically paste themselves.
5. Click on the Go button to clean
6. Confirm by clicking OK
7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time
8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.
I haven't used a AV in years now. I rarely download from unknown sources. I'll eventually learn my lesson, but I honestly don't mind formatting my HDD if I really had to XD
Here's the report;
Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by George at 3/4/2017 4:33:02 PM
High Elevated Privileges : OK
Windows 7 Ultimate Edition, 64-bit Service Pack 1 (Build 7601)
Recycle Bin emptied (01mn AMs)
Prefetcher emptied
========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES: FirewallRaz (Domain) : {7A86B23A-154E-4982-801E-144DE83EEFE1}
REMOVES: FirewallRaz (Domain) : {EA12E68D-E988-42E4-9DE0-505C9BCAECE3}
REMOVES: FirewallRaz (Private) : {5EB33F13-F06C-4B0D-BF37-82780577612C}
REMOVES: FirewallRaz (Private) : {281C3405-2552-4BB3-BE22-B310D5A26874}
REMOVES: FirewallRaz (Private) : TCP Query User{9B580144-7B83-4B96-889C-2603DAE9B197}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
REMOVES: FirewallRaz (Private) : UDP Query User{50B6A797-8796-4B76-82E5-09EC18745DF1}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
REMOVES: FirewallRaz (Private) : {3AB876C9-3554-471C-8158-5B2E7C94E6BA}
REMOVES: FirewallRaz (Private) : {42D6B01F-8346-4B8C-A32F-2AA1CF75F0A3}
REMOVES: FirewallRaz (Private) : TCP Query User{6B5E8F6B-BE2E-4A3A-8478-7E2FCAA1F9C8}C:\users\george\desktop\superswag bot\phantomjs.exe
REMOVES: FirewallRaz (Private) : UDP Query User{C79F0C3F-3539-4C89-BABB-F87F308D86E1}C:\users\george\desktop\superswag bot\phantomjs.exe
========== Folders ==========
Deletes temporary Windows (12)
REMOVES Flash Cookies (0)
========== Files ==========
Deletes temporary Windows (505) (487,840,748 octets)
REMOVES Flash Cookies (0) (0 octets)
========== Other ==========
NON-TREATY 3 - CFD: 06/02/2017 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hide.me VPN
========== Summary ==========
12 : Registry values
2 : Folders
2 : Files
1 : Other
End of clean in 03mn AMs
========== Path to file report ==========
C:\Users\George\AppData\Roaming\ZHP\ZHPFix[R1].txt - 3/4/2017 4:33:04 PM [1994]
Here's the report;
Rapport de ZHPFix 2015.10.19.9 par Nicolas Coolman, Update du 19/10/2015
Fichier d'export Registre :
Run by George at 3/4/2017 4:33:02 PM
High Elevated Privileges : OK
Windows 7 Ultimate Edition, 64-bit Service Pack 1 (Build 7601)
Recycle Bin emptied (01mn AMs)
Prefetcher emptied
========== Registry values ==========
ABSENT value Standard Profile: FirewallRaz :
ABSENT value Domain Profile: FirewallRaz :
REMOVES: FirewallRaz (Domain) : {7A86B23A-154E-4982-801E-144DE83EEFE1}
REMOVES: FirewallRaz (Domain) : {EA12E68D-E988-42E4-9DE0-505C9BCAECE3}
REMOVES: FirewallRaz (Private) : {5EB33F13-F06C-4B0D-BF37-82780577612C}
REMOVES: FirewallRaz (Private) : {281C3405-2552-4BB3-BE22-B310D5A26874}
REMOVES: FirewallRaz (Private) : TCP Query User{9B580144-7B83-4B96-889C-2603DAE9B197}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
REMOVES: FirewallRaz (Private) : UDP Query User{50B6A797-8796-4B76-82E5-09EC18745DF1}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win32\paladins.exe
REMOVES: FirewallRaz (Private) : {3AB876C9-3554-471C-8158-5B2E7C94E6BA}
REMOVES: FirewallRaz (Private) : {42D6B01F-8346-4B8C-A32F-2AA1CF75F0A3}
REMOVES: FirewallRaz (Private) : TCP Query User{6B5E8F6B-BE2E-4A3A-8478-7E2FCAA1F9C8}C:\users\george\desktop\superswag bot\phantomjs.exe
REMOVES: FirewallRaz (Private) : UDP Query User{C79F0C3F-3539-4C89-BABB-F87F308D86E1}C:\users\george\desktop\superswag bot\phantomjs.exe
========== Folders ==========
Deletes temporary Windows (12)
REMOVES Flash Cookies (0)
========== Files ==========
Deletes temporary Windows (505) (487,840,748 octets)
REMOVES Flash Cookies (0) (0 octets)
========== Other ==========
NON-TREATY 3 - CFD: 06/02/2017 - [] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hide.me VPN
========== Summary ==========
12 : Registry values
2 : Folders
2 : Files
1 : Other
End of clean in 03mn AMs
========== Path to file report ==========
C:\Users\George\AppData\Roaming\ZHP\ZHPFix[R1].txt - 3/4/2017 4:33:04 PM [1994]
Didn't find the answer you are looking for?
Ask a question
Problem has been fixed.
Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\RunOnce: [GoogleWebUpdater] => cmd /c "start "GoogleWebUpdater" "C:\Program Files (x86)\Client\GoogleWebUpdater.exe"
C:\Program Files (x86)\Client
HKU\S-1-5-21-4232678915-1373507776-2741593813-1000\...\Winlogon: [Shell] explorer.exe,"C:\Windows\system32\GoogleWebUpdaters.exe" <==== ATTENTION
C:\Windows\system32\GoogleWebUpdaters.exe
C:\Windows\SysWOW64\GoogleWebUpdaters.exe
C:\Windows\SysWOW64\GoogleWebUpdaters.exe.config
C:\Windows\System32\Tasks\GoogleWebUpdater
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
AlternateDataStreams: C:\Users\George:Heroes & Generals [38]
CMD: ipconfig /flushDNS
EmptyTemp:
end
Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\RunOnce: [GoogleWebUpdater] => cmd /c "start "GoogleWebUpdater" "C:\Program Files (x86)\Client\GoogleWebUpdater.exe"
C:\Program Files (x86)\Client
HKU\S-1-5-21-4232678915-1373507776-2741593813-1000\...\Winlogon: [Shell] explorer.exe,"C:\Windows\system32\GoogleWebUpdaters.exe" <==== ATTENTION
C:\Windows\system32\GoogleWebUpdaters.exe
C:\Windows\SysWOW64\GoogleWebUpdaters.exe
C:\Windows\SysWOW64\GoogleWebUpdaters.exe.config
C:\Windows\System32\Tasks\GoogleWebUpdater
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
AlternateDataStreams: C:\Users\George:Heroes & Generals [38]
CMD: ipconfig /flushDNS
EmptyTemp:
end
