Fakefolder and Dorkbot

Viruses and worms
1

Hi all

Picked up a nasty virus called FakeFolder-b

What it does is change all my folders into shotcuts/.lnk files

I’ve got avast, and it detects the problem, and apparnetly deletes it but wont let me acces/run the files

Files are on my external drives.

Anyone got any ideas on how to permatntly get rid of this damn virus and make it so I can access my external files again?

All help appreciated.

Thanks

Treadders

Edit: Microsoft Security Essentials says it’s “Win32/Dorkbot!lnk” as the issue

PS: Found this on virusttoal, which descibes the virus and detials. I’m not 100% sure it’s exactly the same but sounds very much like it:

This virus changes the folders in to shortcuts all the data will be changed as shortcuts it will be un usable , it will show the path as "%windir%\system32\cmd.exe /c “start %cd%RECYCLER\e5188982.exe &&%windir%\explorer.exe %cd%DATA RECOVERY”.
please provide solution to get my data back, any antivirus company can help me to get my data back please

2

we need some logs http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

3

Here’s the log WITHOUT my external drives attached:

(about to run again with hard drives attached)

AdwCleaner v2.112 - Logfile created 02/24/2013 at 09:35:59

Updated 10/02/2013 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : Greg - GREGLSPPY

Boot Mode : Normal

Running from : C:\adwcleaner0.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\Greg\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\QuickStores.url
File Deleted : C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\QuickStores.url
File Deleted : C:\Users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\ca0z7hb5.default\searchplugins\daemon-search.xml
File Deleted : C:\Users\Greg\Desktop\QuickStores.url
Folder Deleted : C:\Program Files (x86)\Mozilla Firefox\Extensions\quickstores@quickstores.de
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Windows\assembly\GAC_MSIL\QuickStoresToolbar

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\PIP
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}]

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

-\ Mozilla Firefox v18.0.2 (en-GB)

File : C:\Users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\ca0z7hb5.default\prefs.js

C:\Users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\ca0z7hb5.default\user.js … Deleted !

[OK] File is clean.

File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r7ln1cs3.default\prefs.js

[OK] File is clean.

-\ Google Chrome v24.0.1312.57

File : C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

AdwCleaner[S1].txt - [2633 octets] - [24/02/2013 09:35:59]

########## EOF - C:\AdwCleaner[S1].txt - [2693 octets] ##########

4
(about to run again with hard drives attached)
wait with that until told so by the removal expert

and attach the rest of the logs…not copy and paste

5

Thanks for the help mate, about to post now :slight_smile:

6

Ok, run Adwcleaner and have atached the logs

Log is with the hard drive attached and if anyone is intersted also have the log without the drive attached.

Thanks

Treadders

7

malware remover will be notified when all logs are attached

8

Managed to get rid of it…took a whle, but it’s all back now