# Malware transforms folders into .exe files (USB drive)



## Mr. Stark

Good morning/afternoon/evening.

After plugging my flash drive (a Kingston DT101 32GB) onto a colleague's computer, when I got home and plugged it onto my laptop (Windows 7, Home Premium SP1 64-bit) the folders started turning into .exe files. I deleted 3 of them, thinking it was a bug of some sort, but when all folders turned into files (it was progressive), I suspected there was a malware at action. 

After looking at some threads talking about the matter (most from 2 years ago), I downloaded Panda USB Vaccine, Flash Disinfector and Combofix. After using Panda with no errors, I started Flash Disinfector but it didn't work (later I discovered it only works on Windows XP). I started combofix but when it talked about 'attempting to create a windows recovery (thingy)' I quickly shut it down.

No folders, at least that I know of, turned into .exe files on the laptop, so I assume it hasn't been infected. How can I recover the files in my flash drive, without Flash Disinfector? Can those folders whose .exe files I deleted be recovered? There are important files to me in them. 

Thank you for your attention.


----------



## Mr. Stark

Bump. 

I know it hasn't been 72 hours but this really is time-sensitive: I need the data in the flash drive for tomorrow night and there'll be hell to pay if I don't have it.


----------



## Ried

Hello MrStark,

We need more info in order to attempt to help you here. Download *rsit.exe* and save it to your desktop.
Double click on *RSIT.exe* to run it.
Click *Continue* at the disclaimer screen.
Once it has finished, two logs will open. I only need to see the contents of the *log.txt*
 Please post the contents in your next reply.

As far as being able to recover what you deleted from the flash drive, you'd have to look in the Recycle Bin on the machine you used with the flash drive and see if they are still there.


----------



## Mr. Stark

Ried said:


> Hello MrStark,
> 
> We need more info in order to attempt to help you here. Download *rsit.exe* and save it to your desktop.
> Double click on *RSIT.exe* to run it.
> Click *Continue* at the disclaimer screen.
> Once it has finished, two logs will open. I only need to see the contents of the *log.txt*
> Please post the contents in your next reply.
> 
> As far as being able to recover what you deleted from the flash drive, you'd have to look in the Recycle Bin on the machine you used with the flash drive and see if they are still there.


Hello, Ried!

Thank you for replying. The requested log is annexed.However, I noticed it only talks about the computer itself - not the flash drive, which was the one actually affected.


----------



## Ried

I understand that, but it also shows me mountpoints, which would be a clue for me. :winkgrin:

I'll review this log in a bit and have the next set of instructions for you in approx 30 minutes.


----------



## Ried

I'm back early. :smile:



> I started combofix but when it talked about 'attempting to create a windows recovery (thingy)' I quickly shut it down.


Since this is a Windows 7 machine, you must have meant system restore point or Erunt backup, correct? Windows Recovery Console would only apply to an XP machine.

Please delete your existing ComboFix.exe and download the latest version from *here*

========================================


*Insert the affected flash drive.*

========================================


*Disable your AntiVirus and AntiSpyware applications *as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic *How to disable your security applications*


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply for further review and an update on the flash driver files.


----------



## Mr. Stark

After an awfully long time during which ComboFix prepared its relatory... here it is, annexed.

Yes, system restore point. I didn't really stop to correct the name, heh.


----------



## Ried

Did you have the flash drive inserted when you ran ComboFix?

Are the folders still .exe files?


----------



## Mr. Stark

Ried said:


> Did you have the flash drive inserted when you ran ComboFix?
> 
> Are the folders still .exe files?


1 - Yes, I did have it inserted.

2 - No... the .exe files disappeared. Weird. I didn't touch them.

P.S.: The data is still there though -all 14 GBs.


----------



## Ried

And you can open the folders and the files within are readable? All is well?


----------



## Mr. Stark

Ried said:


> And you can open the folders and the files within are readable? All is well?


Oh, if only. It's back to the way it was when I started this thread - though without the .exe files. I can find squat.


----------



## Ried

Ok. Download Unhide.exe and save it to the desktop. Make sure the flash drive is still inserted, and run Unhide.exe.

Let me know how that worked out for you.


----------



## Mr. Stark

It is running.

One thing, though - I uh, just remembered that I used Panda USB Vaccine (If I'm correct, it stops flash drives' autorun.inf from running). Does the action taken interfere with any of your suggestions? 

http://www.myfacewhen.net/uploads/516-poker-face.jpg

Edit: The url is not a virus or anything - lol - just the (in)famous meme.


----------



## Mr. Stark

The program ran successfully but even after rebooting the computer (with the flashdrive always plugged on), nothing seems to have changed. When I started the computer, it was incredibly slow, but it's okay now.

So... still without the folders showing up, the .exe files aren't there.


----------



## Ried

There are a couple of things I have in mind for you to try. Before I type out the suggestion, do you have another flash drive of your own that you can use, and the ability to have both flash drives inserted?


----------



## Mr. Stark

Yes, I do, it has around 5 GBs of free space in it. And the laptop has 4 USB ports so yes.


----------



## Ried

Great. First, let's see if you can view those files from outside of Windows.

To make this less confusing for this round, just have the messed up flash drive inserted.

Restart your computer and tap F8 to bring up the Advanced Menu, then click *Repair your computer*

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight *Command Prompt* and press Enter.

In the command window type in *notepad* and press *Enter*.
When notepad opens, click File at the top and select *Open*.
Select "Computer" and find your flash drive letter and remember it. Close notepad.
Now let's see if you can view the files and folders on that drive. In the command window type the following:

*cd /d* *e*:\ and press *Enter*.

*Note:* Replace letter e with the drive letter of your flash drive

Can you see the files and folders of that drive?


----------



## Mr. Stark

Hello! I won't be able to do this until tomorrow afternoon, since it's quite late here and I must work tomorrow.

Just saying. I'll remove this when I have news about the progress.


----------



## Ried

Ok, I understand. If you can see the files and folders, don't copy them yet. Boot back into Normal Mode and keeping that flash drive inserted, run an online scan at Eset.

 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activex control to install
Click *Start*
Make sure that the option *Remove found threats* is *unticked*


Click on *Advanced Settings* and ensure these options are ticked:
*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Click *Scan*
Wait for the scan to finish
If any threats were found, click the *'List of found threats' *, then click* Export to text file...*. 
Save it to your desktop, then please copy and paste that log as a reply to this topic.


----------



## Mr. Stark

Hey, back from work.

I'm in Command Prompt, and after having used your given command, and having typed 'dir', only the files showed up. It says there are 37 files (seems true, haven't checked it yet), and 0 folders, with 15.xxx.xxx.xxx bytes available; the bytes being used, however, are only 23.xxx.xxx, and the maximum amount is 32.xxx.xxx.xxx. So, they must be there, but they don't show up.

Should I follow the instructions you gave on your last reply?


----------



## Ried

Yes, proceed with scanning with Eset and let's see what turns up. Remember, uncheck 'Remove found threats'.


----------



## Mr. Stark

And I'm back, sorry for the delay.

Good (and neutral) news: The scanner found all files. Neutral: It found no threats, and uh, it didn't give me the option for a text file.

So, what now, Ried?


----------



## Ried

Hiya,

The scanner saw all the files on the usb stick even though you can't see them? Am I understanding you correctly? If so, then transfer the files from the usb stick, to your desktop machine, format that usb stick and put them back on.


----------



## Mr. Stark

Yes. The scanner detected them, though I still can't see them.

How can I accomplish that? I can see no way to move them without some kind of program.


----------



## Ried

Copy them via the Recovery Environment>Command Prompt. Repeat the procedure in Post 17 to access that flash drive.

Once you're at the e:\ prompt (or whatever drive the flash drive is assigned) enter *dir* to see contents. 

Depending on how many files you have on the flash drive, this can be a bit tedious but use the *copy* command to get them to your C:\ drive 

Since you're already at the e:\ prompt, there's no need to enter that drive letter. Just type in copy <filename with extension> c:\ 

(or the path to whatever folder you want to copy these to on the C:\ drive.) 

Example:

*copy filename.txt c:\*

You could create a new folder on C:\ before you enter the Recovery Environment such as C:\Windows\Flash Drive. If you do that, then your command from Recovery Environment Command Prompt would be:

*copy filename.txt c:\Windows\Flash drive*


----------



## Mr. Stark

Hello there,

It seems that, not unlike the previous time, only those 37 files (the ones NOT in folders) show up via Recovery Environment > Command Prompt.

So ESET sees them, but Windows doesn't.


----------



## Ried

I'm sorry, I'm getting a bit confused - it's difficult to envision when I can't see what you're seeing.

How many files are 'missing'? Are any of them in the folders?


----------



## Mr. Stark

Okay, let's contrast the situations from before the virus or whatever it was and now.

Before: There were 37 files outside folders, a few hundred inside folders. All files can be seen normally, there are no hidden files / folders or anything, aside from the usual. (no need to detail.)

Now: There are 37 files (outside folders), same as the ones aforementioned, and nothing else. While the ESET test saw those few hundred inside folders, nothing else tested - be it Recovery Console + Command Prompt, unhide, ComboFix, anything that you said here - sees them.

Any more doubts? I can take printscreens or a video if you prefer.


----------



## Ried

Got it, thanks. :smile:

When we ran unhide.exe, it should have addresses hidden files on that flash drive as long as it was plugged in. Operative word being 'should have'.

Recovery Environment also should have been able to see those folders and their contents - Windows is not loaded while in the RE, therefor any hidden or other attributes that may be involved, would not apply.

To be clear, you said no Folders showd up in the directory via command prompt in RE, correct?


----------



## Mr. Stark

Precisely. Simply the infamous 37 files and 0 folders.

Gonna try out that technique with 2 flash drives that you mentioned?


----------



## Ried

Yes, I'd like to try that now. Download *Farbar Recovery Scan Tool x64* and save it to that spare flash drive.

Ensure both flash drives are plugged in before you continue. 

Same as earlier, restart your computer and tap F8 to bring up the Advanced Menu, then click *Repair your computer*

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight *Command Prompt* and press Enter.

You need the drive letters that each of your flash drives have been assigned while in RE. To do that:

In the command window type in *notepad *and press *Enter*.
When Notepad opens, under File menu select *Open*.
 Select "Computer" and find your flash drives. You can open each drive this way as well. Figure out which one has FRST64.exe on it, and which one is the drive that has the problem. Write down the letters for each drive.

Still with Notepad open, type the following into Notepad:



Code:


Folder: [B][COLOR=Red]e:[/COLOR][/B]\

 *Note*: Replace letter *e* with the drive letter of the flash drive that has the problem.

Next, save the file, but it must be saved as *Fixlist.txt* and must be _saved to the drive that has FRST64.exe _on it. 

Once you've completed that, close notepad and back in the command prompt, enter the following:

*cd /d F:\frst64.exe*

*Note*: Replace letter *F* with the drive letter of the flash drive that has FRST64.exe on it.

The tool will open. Click the *Fix button *only once, and wait. When it has completed, a message will pop up advising you. The log will have been saved on the flash drive that contains FRST64.exe, and be named *Fixlog.txt*. Please attach that to your next post.


----------



## Mr. Stark

There it is, annexed.

I noticed a few thousand files ending with .CHK, we can recover them, right?


----------



## Mr. Stark

There it is, annexed.

By the way, I noticed a few thousand files with .CHK endings.

They're recoverable, right? Or they're not actual files, as in .ppt's, .exe's, etc?


----------



## Ried

> By the way, I noticed a few thousand files with .CHK endings.


Did you run chkdsk on that drive? Those FOUND.000 folders are created when you run chkdsk. The .chk files within that folder, are created to save any lost data during the chkdsk fix.

Back to the list:



> ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


 We needed that Fixlist.txt to be run from within the Recovery Environment. Ensure the flash drives are both inserted and that they are the assigned the same drive letter that I see in the log you posted:

H:\ <-- flash drive with FRST64.exe on it, and the Fixlist.txt
G:\ <-- flash drive you're having trouble with

_Provided the same letters are assigned as noted above_, do the following:

Restart your computer and tap F8 to bring up the Advanced Menu, then click *Repair your computer*

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight *Command Prompt* and press Enter.


In the command window type in the following and press Enter:

*cd /d h:\frst64.exe*


The tool should start to run. Click the *Fix button *once, and wait until it says it has completed and produced Fixlog.txt


This Fixlog.txt will have overwritten the previous one on the flash drive. Attach that new Fixlog.txt please.

Also -- in that Fixlog.txt, do you see any of the Folders that you say are missing? If not, can you give me the name of one of the Folders you think should be there, but you cannot see?


----------



## Mr. Stark

No, I don't think I ever ran chkdsk on it. It's there though, 10000 files.

Last time I ran it correctly, through the Recovery Console and everything like you instructed. Weird. I double-checked my every action this time, though.

If you get confused with which drive is G:\ and which is H:\ in checklog, I got a bit confused at first too, for even though I put the flash drives in the correct positions FRST64.exe only saw the one I'm having trouble with as "H:\", and the one with FRST64.exe as "G:\" .

Okay... So here's the situation, from my user, non-programmer point of view:

1 - The folders (or at least most of them, I am unable to confirm the presence of all in Fixlog.txt) previously in the flash drive can be accessed manually. (I got their names from the log.) When I took a look at properties, every folder was marked as "dead file" (or something like that), "read-only" and occult. The occult option, though, was the only one in a grey palette, meaning I can't manually uncheck it.

2 - Most of the files that were in the folders, before the malware infected the flash drive, aren't quite there. There are only a few files showing up (most of the time the amount can't even reach half of the width of a full-screen window - that is, the average is less than 6 or something like that.

3 - As I opened a few files, I noticed Word, PowerPoint and image files worked fine, but .pdf didn't work. Only a few images showed up, but no text at all. It is a bit.. distressing.


----------



## Mr. Stark

Hello there, Ried;

You haven't answered for some time so I assume you believe the problem is solved, or something like that. As with my last post, there are many files that were there before the malware attacked the USB flash drive, but aren't there anymore. Also, files with the .pdf extension do not show the text in them, only the images.

Is there any solution to either / both of these problems?

Again, thanks. I'm awaiting for your answer.


----------



## Ried

Hi, no I did not think this was resolved, just lost track of you due to the time that passed for you to reply. 

The only other option I can think of at this point is to use the command prompt to change attributes.

Assuming the flash drive is the G:\ drive.....

Click Start>All Programs>Accessories and locate *Command Prompt*. Right click Command Prompt to run as Administrator.

At the prompt, type in the following:

*attrib -s -h -a g:\ /s /d*

Let me know how that worked out for you.


----------

