It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Malware changing file types in Win7
page: 12
share:
Hello again, computer experts of ATS.
I recently created a few threads detailing an issue I was having with being redirected to unwanted web pages after clicking links. I had done a bunch of scans on my computer with various software, and it seemed that no matter what I did, the problem would not go away. Finally, after running CCleaner, I found the apparent root source of the issue; 2 malicious browser plugins, which I appropriately deleted. They seem to be gone, at least for the time being.
However, I have a new and even more concerning issue at hand. Several files on my computer, around 520 of them, have had their "types" or extensions changed to the name of one of those plugins, "eastobuy". When you look at a file on your computer such as a picture, it might show as a jpg file, for example. However, these 520 or so affected files are showing as "eastobuy" files. In the attached picture below, you can see on the top, circled in red, where the file is showing as an eastobuy file, while on the bottom a jpg file is showing as a jpg file, as it should.
Many of these eastobuy files are within the Steam httpcache folder, but I'm particular concerned about these system32 files being changed.
What exactly is going on here? I'm becoming a bit frustrated with this whole thing. I'll be going to bed, but I will definitely be keeping tabs on this discussion.
Thanks in advance. Any and all help is welcome
I recently created a few threads detailing an issue I was having with being redirected to unwanted web pages after clicking links. I had done a bunch of scans on my computer with various software, and it seemed that no matter what I did, the problem would not go away. Finally, after running CCleaner, I found the apparent root source of the issue; 2 malicious browser plugins, which I appropriately deleted. They seem to be gone, at least for the time being.
However, I have a new and even more concerning issue at hand. Several files on my computer, around 520 of them, have had their "types" or extensions changed to the name of one of those plugins, "eastobuy". When you look at a file on your computer such as a picture, it might show as a jpg file, for example. However, these 520 or so affected files are showing as "eastobuy" files. In the attached picture below, you can see on the top, circled in red, where the file is showing as an eastobuy file, while on the bottom a jpg file is showing as a jpg file, as it should.
Many of these eastobuy files are within the Steam httpcache folder, but I'm particular concerned about these system32 files being changed.
What exactly is going on here? I'm becoming a bit frustrated with this whole thing. I'll be going to bed, but I will definitely be keeping tabs on this discussion.
Thanks in advance. Any and all help is welcome
a reply to: trollz
when all else fails , i find that ComboFix on Bleepingcomputer.com will fix it. you might to want try that. it will take time tho, be patient with it.
also, if you want/need to delete it when you're done, check their forums. different methods for different systems.
when all else fails , i find that ComboFix on Bleepingcomputer.com will fix it. you might to want try that. it will take time tho, be patient with it.
edit on 12-12-2014 by thishereguy because: (no reason given)
also, if you want/need to delete it when you're done, check their forums. different methods for different systems.
edit on 12-12-2014 by
thishereguy because: (no reason given)
It looks like the files with no extension were "hijacked" by that malware.
I don't know if it works or not, as I don't have that problem and I don't have Windows Vista or 7, the only operating systems this program works on, but you can try this and see if it works.
I don't know if it works or not, as I don't have that problem and I don't have Windows Vista or 7, the only operating systems this program works on, but you can try this and see if it works.
a reply to: trollz The AppCache folder is just a repository for the main Steam.exe application to obtain quick access to
information downloaded from Steam regarding your account so that it does not need re-downloading each time.
Your inventory, purchase history, friend interactions and other account-related data is also copied here.
It typically contains two directories, "httpcache" and "stats". "httpcache" is a cache for the html pages that help make up your general Steam application, such as the News, Store and Community pages. Having the data locally makes it much faster to re-display. The "stats" directory is a similar cache for the data of your achievements and stats for the games as displayed under the Profile pages. Note: these are not the recorded achievements, editing these will not affect the game's achievements since this data is recalled from the information that has been collected on the servers. It's one-way only
Aside from the two directories, are some vdf files which apply to the 'Library' portion of the application. The games (& DLC/expansions)/Tools and Media (including for example, the developer/publisher, metacritic scores etc.) and details as well as your current and historical downloads.
-_________________-
Removing this folder will simply enable Steam.exe to re-download the information from the Steam Servers. Theoretically, this should ensure only accurate and correct information is then present. You can't damage anything by removing the fodler, since anything that Steam.exe does not find, but expects to be there will be acquired from the server when next connected.
Your inventory, purchase history, friend interactions and other account-related data is also copied here.
It typically contains two directories, "httpcache" and "stats". "httpcache" is a cache for the html pages that help make up your general Steam application, such as the News, Store and Community pages. Having the data locally makes it much faster to re-display. The "stats" directory is a similar cache for the data of your achievements and stats for the games as displayed under the Profile pages. Note: these are not the recorded achievements, editing these will not affect the game's achievements since this data is recalled from the information that has been collected on the servers. It's one-way only
Aside from the two directories, are some vdf files which apply to the 'Library' portion of the application. The games (& DLC/expansions)/Tools and Media (including for example, the developer/publisher, metacritic scores etc.) and details as well as your current and historical downloads.
-_________________-
Removing this folder will simply enable Steam.exe to re-download the information from the Steam Servers. Theoretically, this should ensure only accurate and correct information is then present. You can't damage anything by removing the fodler, since anything that Steam.exe does not find, but expects to be there will be acquired from the server when next connected.
If you already removed the malicious software, and you're confident that you have, then it looks like you need to go through your file associations
and remove all of the associations for system files to that malicious program. Manual and tedious, but that looks to be your problem if you've
removed the other malicious software and references.
CCleaner by itself is not enough. You'll also want to check out Malware Bytes... it's free for a while and will remove just about everything that's hiding around.
ComboFix is also another good tool for removal. Usually, you run ComboFix first (follow the instructions to the letter!), reboot, run it again, reboot, run Malware Bytes, reboot into Safe Mode, run Malware Bytes again (to verify that it worked and removed everything). Then run your normal anti-virus tools. If you are comfortable with the Windows Registry, you might need to go through and remove the registry keys that are related to that software that you removed. (the tools don't always get them). The most important place to look is in the "Run" and "RunOnce" keys of the registry. (Google to find their exact location). These are important because they get executed when you boot, so if there is an entry there, the malicious software could potentially keep downloading itself every time you re-boot.
Worst case, if you know a really good tech guy, get something like Team Viewer, LogMeIn (trial) or Windows Remote Desktop and let them log in to your computer remotely.
Hope this helps, and good luck!
~Namaste
CCleaner by itself is not enough. You'll also want to check out Malware Bytes... it's free for a while and will remove just about everything that's hiding around.
ComboFix is also another good tool for removal. Usually, you run ComboFix first (follow the instructions to the letter!), reboot, run it again, reboot, run Malware Bytes, reboot into Safe Mode, run Malware Bytes again (to verify that it worked and removed everything). Then run your normal anti-virus tools. If you are comfortable with the Windows Registry, you might need to go through and remove the registry keys that are related to that software that you removed. (the tools don't always get them). The most important place to look is in the "Run" and "RunOnce" keys of the registry. (Google to find their exact location). These are important because they get executed when you boot, so if there is an entry there, the malicious software could potentially keep downloading itself every time you re-boot.
Worst case, if you know a really good tech guy, get something like Team Viewer, LogMeIn (trial) or Windows Remote Desktop and let them log in to your computer remotely.
Hope this helps, and good luck!
~Namaste
I am all for people doing what they can to fix their own computer, but there is a time to take it to someone who knows what they're doing. When my
vehicle needs work above my knowledge, I take it to a good mechanic. I don't keep fiddling with it until I break something else, or worse.
Several times a year, people bring me computers that have been worked on by the family "guru". By the time the guru gets finished listening to every bit of advice they get online, and messing with things they know nothing about. It usually costs these people 3 times or more, what they could have gotten it fixed for if they had taken it to a good tech to begin with. (NOT the Geek Squad)
Do yourself a favor, and let a good tech clean that machine up properly, and you'll save yourself some headaches.
Several times a year, people bring me computers that have been worked on by the family "guru". By the time the guru gets finished listening to every bit of advice they get online, and messing with things they know nothing about. It usually costs these people 3 times or more, what they could have gotten it fixed for if they had taken it to a good tech to begin with. (NOT the Geek Squad)
Do yourself a favor, and let a good tech clean that machine up properly, and you'll save yourself some headaches.
originally posted by: Klassified
Do yourself a favor, and let a good tech clean that machine up properly, and you'll save yourself some headaches.
And an opportunity to learn something new.
new topics
-
Murder Suicide Investigation Still Active 4 months later?
Other Current Events: 19 minutes ago -
A Shout-out To truthseeker45 Hoot Hoot
General Chit Chat: 1 hours ago -
Ooooh...it worked!!
Members: 4 hours ago -
New House GOP Bill To Send Pro Hamas College Law Breakers to Gaza for 6 Months
Social Issues and Civil Unrest: 6 hours ago -
Pentagon UFO Hunter Reveals What He Knows About Aliens: Nothing
Aliens and UFOs: 8 hours ago -
President Bidens Health is Declining Faster 5.8.2024 - He Should Stay Home.
2024 Elections: 9 hours ago -
Court of Appeals Agrees to Hear Trump Appeal to Flush Fani Willis
US Political Madness: 10 hours ago
top topics
-
Chris Cuomo, who pushed vaccine shots on CNN, admits Moderna vaccine destroyed his health
Mainstream News: 15 hours ago, 30 flags -
Court of Appeals Agrees to Hear Trump Appeal to Flush Fani Willis
US Political Madness: 10 hours ago, 15 flags -
Ooooh...it worked!!
Members: 4 hours ago, 11 flags -
President Bidens Health is Declining Faster 5.8.2024 - He Should Stay Home.
2024 Elections: 9 hours ago, 9 flags -
New House GOP Bill To Send Pro Hamas College Law Breakers to Gaza for 6 Months
Social Issues and Civil Unrest: 6 hours ago, 9 flags -
History Shows; Many Crisis Are Artificial I'm Order To Enslave People
Political Conspiracies: 16 hours ago, 7 flags -
Crocodile Reported in Water near a Buckinghamshire village in the UK
Pets: 13 hours ago, 6 flags -
I "lost" a manuscript.
Rant: 13 hours ago, 3 flags -
A Shout-out To truthseeker45 Hoot Hoot
General Chit Chat: 1 hours ago, 3 flags -
Pentagon UFO Hunter Reveals What He Knows About Aliens: Nothing
Aliens and UFOs: 8 hours ago, 2 flags
active topics
-
Strange Humanoid-Shaped Object Captured On Film In The Skies Over California
Aliens and UFOs • 24 • : EduardoLopez -
I "lost" a manuscript.
Rant • 9 • : BeTheGoddess2 -
New House GOP Bill To Send Pro Hamas College Law Breakers to Gaza for 6 Months
Social Issues and Civil Unrest • 74 • : DBCowboy -
Skinwalker Ranch and the Mystery 1.6GHz Signal
Aliens and UFOs • 154 • : charlyv -
Murder Suicide Investigation Still Active 4 months later?
Other Current Events • 0 • : ByeByeAmericanPie -
Judge Postpones Trump Classified Docs Trial INDEFINITELY
US Political Madness • 131 • : Zanti Misfit -
Marjorie Taylor Greene Files Motion to Vacate Speaker Mike Johnson
US Political Madness • 74 • : WeMustCare -
Big Storms
Fragile Earth • 35 • : Irishhaf -
Tucker Carlson UFOs are piloted by spiritual entities with bases under the ocean and the ground
Aliens and UFOs • 48 • : EduardoLopez -
Ooooh...it worked!!
Members • 7 • : rickymouse
2