0

The night before last I had a very bad experience, and only managed to avoid a complete wipe and reload by the skin of my teeth.
I was downloading a file from a site I had used before, and my AV software trapped something called "Downloader". I stopped the download immediately. I then noticed that all the items in the system tray have been blanked out and replaced with "<" signs (like you get when it's hiding icons). I couldn't bring up Task Manager, and my other running software (Spy Sweeper) also reported a strange file it was quarantining.
I then found that my internet access seemed to have disappeared and that there was only minimal activity showing. I tried a reboot and Spy Sweeper popped up during the start up sequence to say it was deleting a file. However, when I logged back in the situation was the same - no system tray icons, no internet, no Task Manager. Help, I thought.
At that stage, I thought I might be in real trouble. I ran HijackThis but couldn't see anything obvious.
I had a thought to check if this was also happening on other accounts, so I managed to log out and log in to the alternative account.
Everything seemed fine, and then a window popped up (from WinPatrol) asking if I approved "c:\Documents and Settings\<name>\svchost.exe" as an addition to the startup folder. Oh, oh! Answer definitely NO. Is this the problem? Log back into my account and check the running processes.
Since I couldn't get Task Manager to come up, this could have been a problem, but WinPatrol allows me to check the startup processes and the running tasks. I could see the real svchost.exe (from Microsoft) plus an extra one without an owner. I disabled this and things came back to normal!!! When I looked at the HijackThis log I spotted that process (a bit late).
And now the kicker. When I look in my Documents and Setting folder there is no svchost.exe file (I have 'show hidden files' on in explorer). So apparently the system can run a file I can't see in explorer. I would like to be able to get rid of this file, but how?
I have run adsspy but this doesn't show anything. While it was running it showed itself scanning a directory called "c:\Documents and Settings\<name>\!" (with a "!"), that seemed to contain mostly zip files. I can't see anything called "!" under explorer, so what is this folder?
So what is going on?

2
Contributors
3
Replies
4
Views
9 Years
Discussion Span
Last Post by normanallen
0

I'd say either your antivirus software deleted it, or it's still hidden and not showing for some reason. I'm not familiar with the "!" directory but that doesn't necisarrily mean it's malicious.

Try navigating to that accounts D&S folder from another account, if there is an alternate virus that's keeping it hidden you should be able to see it that way.

This one could be annoying, because it will show all hiden folders, but it should show it if it's hiden in there. go to the properties on the containing folder, check on hide, it will prompt you for whether or not to apply to containing folders: say yes, then hit apply (NOT OK, if you hit okay you're liable to never find the folder again) uncheck hide, and do the same "apply to files and subfolders" option. This should unhide all files inside that folder.

If you think it's hidden in a subfolder somewhere that you can't navigate too from windows explorer, try putting the directory into the address bar. It should put you right into it.

There's always the search features with the search hidden folders option enabled, but I havent' had tremendous luck with that.

0

I'd say either your antivirus software deleted it, or it's still hidden and not showing for some reason. I'm not familiar with the "!" directory but that doesn't necisarrily mean it's malicious.

Try navigating to that accounts D&S folder from another account, if there is an alternate virus that's keeping it hidden you should be able to see it that way.

This one could be annoying, because it will show all hiden folders, but it should show it if it's hiden in there. go to the properties on the containing folder, check on hide, it will prompt you for whether or not to apply to containing folders: say yes, then hit apply (NOT OK, if you hit okay you're liable to never find the folder again) uncheck hide, and do the same "apply to files and subfolders" option. This should unhide all files inside that folder.

If you think it's hidden in a subfolder somewhere that you can't navigate too from windows explorer, try putting the directory into the address bar. It should put you right into it.

There's always the search features with the search hidden folders option enabled, but I havent' had tremendous luck with that.

Problem is that when I set up my account, I made my D&S folder hidden to other users. I can't see how to turn that off.

0

Finally sorted out what's happening. Strangely for me, I did not have "Hide protected operating system files" unchecked. Once i did that I could see both. I have deleted the svchost.exe file. The "!" directory is much more interesting. It contains 49,652 zip files all of length 15Kb, and named for a whole load of applications (games) for lots of different platforms. The only curious thing is that the size of the folder is 718 Mb and I'm sure I'd have noticed that much being downloaded (or would I?)
Thankfully I'm not going to be some kind of unwitting P2P node, so it has now been deleted and I think things are back to normal (I hope).

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.