Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows explorer options - hidden files doesn't work


  • This topic is locked This topic is locked
45 replies to this topic

#1 JhonnyK69

JhonnyK69

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 29 March 2011 - 07:09 PM

Hi, i have WinXP SP3 on my vaio. I had some viruses, downloaded Kaspersky and they're gone, but, i think i still have malware or something. I go to windows explorer, tools, file options, view, hidden files and folders, activating show all files, but when i click on ok, still can't seeing hidden files. So, I installed HijackThis and got a file.log to send it and hoping someone more expertise can help me.

Greetings and thanks a lot.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:32 AM

Posted 05 April 2011 - 10:39 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manč acchč?
Yadi thakč, tahalč
Ki kshama kartč paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:32 AM

Posted 15 April 2011 - 05:12 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:32 AM

Posted 06 May 2011 - 10:46 AM

This topic has been re-opened at the request of the person who originally posted.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:32 PM

Posted 08 May 2011 - 07:01 AM

Hello JhonnyK6 and welcome to BC. :)

Please update me with the current status of the computer, state any problem and issues.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 JhonnyK69

JhonnyK69
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 12 May 2011 - 09:42 AM

Hi, i have WinXP SP3 on my vaio. I had some viruses, downloaded Kaspersky and they're gone, but, i think i still
have malware or something.

I go to windows explorer, tools, file options, view, hidden files and folders, activating show all files,
but when i click on ok, still can't seeing hidden files.

So, I installed HijackThis and got a file.log to send it and hoping someone more expertise can help me.

I also try with CCleaner and Spybot search&destroy....

I sent you the mail with the files earlier, but i couldn't return the mail with the things you told me to do,
but there you go.....



Later, some friend told me to install mata virus amvo, and this certainly erased some thing and now I am able
to see hidden files, but, i still have problems.

1. When I initiate windows, there are 2 same windows opened (with notepad), called desktop.ini, with the message:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

2. I am not being able to burn cds/dvds, or copy them, I have Nero.

3. When I insert a Dvd on the dvd reader, if it's a movie, doesn't start immediatly, I have to start it manually.

4. I have a new DVD unit (I think it's a virus or something because I don't have created any new one), and it's
called K Unit.

5. When I'm on internet, during some time, the computer degrades all and i have to reinitiate.



I don't know what else I have, but I think is some virus or malware or something....


I tried to run the DDS (with success) and the GMER (without success) BLIND_FAITH (Elle) suggested me, but,
the GMER Starts to run, and later, the computer gets blocked and shows the famous windows error BLUE SCREEN with white
characters....

So, i have only the start of the file GMER.log...


Now i'm sending you this message with the things you told me to do, so i hope it would be all in order for
you guys to help me.

I'm attaching you the files Attach.txt and DDS.TXT generated by DDS, GMER_LOG20110510.log generated by GMER (until I stopped it
before it ended in a crash) and finally, the OTL.txt and EXTRAS.txt you need.



Greetings and thanks a lot.

Attached Files



#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:32 PM

Posted 13 May 2011 - 05:16 AM

Hi,

Please do not attach logs unless instructed.


1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy



2. Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program (Run as Administrator for Windows Vista/7).
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 JhonnyK69

JhonnyK69
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 13 May 2011 - 08:46 AM

Thanks Sempai.


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-JRJVP-C362R-C28HJ
Windows Product Key Hash: hcWcYNXp/lkXWVXRBh+0v8EmkMk=
Windows Product ID: 55274-640-8550395-23432
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {B098BCD9-18EF-4F99-A470-786134888E20}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.18.7
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-b063_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.7
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Project Professional 2003 - 100 Genuine
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Archivos de programa\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{B098BCD9-18EF-4F99-A470-786134888E20}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-C28HJ</PKey><PID>55274-640-8550395-23432</PID><PIDType>1</PIDType><SID>S-1-5-21-1801674531-1935655697-725345543</SID><SYSTEM><Manufacturer>Sony Corporation</Manufacturer><Model>VGN-N250N</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>R0070J4</Version><SMBIOSVersion major="2" minor="4"/><Date>20061206000000.000000+000</Date></BIOS><HWID>1D243E07018400EE</HWID><UserLCID>0409</UserLCID><SystemLCID>0C0A</SystemLCID><TimeZone>Hora est. del Pacífico de SA(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Powered by nLite</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.18.7"/><File Name="WgaLogon.dll" Version="1.7.18.7"/></GANotification></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{913B0C0A-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Project Professional 2003</Name><Ver>11</Ver><Val>A844416E53F1DEC</Val><Hash>AdT0Nhqv/ngx2LtrYwke/z0R4aE=</Hash><Pid>73750-758-7919556-55568</Pid><PidType>1</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65498</Pid><PidType>14</PidType></Product></Products><Applications><App Id="3B" Version="11" Result="100"/><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1FF90:Sony Corporation|1FF90:Sony Corporation ITCNC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:32 PM

Posted 13 May 2011 - 09:37 AM

The MGADiag shows that you're using an illegal copy of Microsoft Office Enterprise 2007, is this the reason why you add 127.0.0.1 mpa.one.microsoft.com to the computer's Hosts file?


1. Please download Artellos's WVCheck.
  • Double click WVCheck.exe. (Run as Administrator for Windows Vista/7)
  • As indicated by the prompt, This program can take a while depending on your hard drive space.
  • Once the program is done, copy the contents of the notepad file as a reply.


2. Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [IP surveillance] File not found
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKU\S-1-5-21-1801674531-1935655697-725345543-1007..\Run: [PowerBar] File not found
    O33 - MountPoints2\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\Shell\AutoRun\command - "" = n6j6pc0.com
    O33 - MountPoints2\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\Shell\explore\Command - "" = n6j6pc0.com
    O33 - MountPoints2\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\Shell\open\Command - "" = n6j6pc0.com
    O33 - MountPoints2\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\Shell\AutoRun\command - "" = sjnwsn.exe
    O33 - MountPoints2\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\Shell\explore\Command - "" = sjnwsn.exe
    O33 - MountPoints2\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\Shell\open\Command - "" = sjnwsn.exe
    O33 - MountPoints2\{e6fa5b9b-900c-11dd-a994-0019d2318c8e}\Shell\AutoRun\command - "" = RECYCLER\S-1-6-21-6129016431-0312943124-490191164-4243\fileview.exe
    O33 - MountPoints2\{e6fa5b9b-900c-11dd-a994-0019d2318c8e}\Shell\open\command - "" = RECYCLER\S-1-6-21-6129016431-0312943124-490191164-4243\fileview.exe
    
    :Commands
    [CREATERESTOREPOINT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.

Edited by sempai, 13 May 2011 - 09:39 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 JhonnyK69

JhonnyK69
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 13 May 2011 - 02:06 PM

Hi Sempai, thanks.

I really don't know how to add any IP address to a host's file. I'm sorry. What does 127.0.0.1 mpa.one.microsoft.com mean? what is the host file?




This is the result of the WVCheck:



Windows Validation Check
Version: 1.9.12.5
Log Created On: 1355_13-05-2011
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 3
Windows Mode: Normal
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Do not download or install updates automatically.
-----------------------
Last Success Time for Update Detection: 2008-07-30 02:20:17
Last Success Time for Update Download: 2008-07-21 01:41:49
Last Success Time for Update Installation: 2008-07-25 00:53:41


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
WVCheck found no known bad files.


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's HOSTS File Check
-----------------------
Line: 127.0.0.1 mpa.one.microsoft.com
Matched: *microsoft.com*
-----------------------


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - da8898129e0075c7de4dee457514a73c


-------- End of File, program close at 1355_13-05-2011 --------







And This is the result of the OTL Run/Fix:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IP surveillance deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1801674531-1935655697-725345543-1007\Software\Microsoft\Windows\CurrentVersion\Run\\PowerBar deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\ not found.
File n6j6pc0.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\ not found.
File n6j6pc0.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f7b4a36-932b-11dd-b470-0019d2318c8e}\ not found.
File n6j6pc0.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\ not found.
File sjnwsn.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\ not found.
File sjnwsn.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9c42688a-f2c2-11dd-9e1e-0019d2318c8e}\ not found.
File sjnwsn.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e6fa5b9b-900c-11dd-a994-0019d2318c8e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e6fa5b9b-900c-11dd-a994-0019d2318c8e}\ not found.
File C:\RECYCLER\S-1-6-21-6129016431-0312943124-490191164-4243\fileview.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e6fa5b9b-900c-11dd-a994-0019d2318c8e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e6fa5b9b-900c-11dd-a994-0019d2318c8e}\ not found.
File C:\RECYCLER\S-1-6-21-6129016431-0312943124-490191164-4243\fileview.exe not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 05132011_135753


Thanks again for your help.

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:32 PM

Posted 14 May 2011 - 12:18 AM

What does 127.0.0.1 mpa.one.microsoft.com mean?

127.0.0.1 is the loopback address or also referred to as "localhost" (your own computer). This means that when the computer tries to connect to mpa.one.microsoft.com, it immediately looped back to your own machine.


what is the host file?

http://en.wikipedia.org/wiki/Hosts_%28file%29


Is this an office or personal computer? Did you configure it to use proxy?


Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :Commands
    [EMPTYTEMP] 
    [RESETHOSTS]
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 JhonnyK69

JhonnyK69
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 16 May 2011 - 01:10 PM

Hi Semp, thanks for your help.

This is my personal computer, and I use it at home, but, I use it when I'm working too, so, sometimes I have to connect there, if I need internet, and also if I need to connect to their Database (I work with oracle).

That's why I sometimes have to configure the access via Proxy, but, when work is finished, I let it as it was initially.

Here is the log:


All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Ana Milena
->Temp folder emptied: 18319888 bytes
->Temporary Internet Files folder emptied: 11703370 bytes
->Java cache emptied: 96305 bytes
->Flash cache emptied: 2015789 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: JuanK
->Temp folder emptied: 116336245 bytes
->Temporary Internet Files folder emptied: 69134682 bytes
->Java cache emptied: 5289426 bytes
->Flash cache emptied: 53130 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10996144 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 45576233 bytes

User: vaio
->Temp folder emptied: 18071399 bytes
->Temporary Internet Files folder emptied: 7474046 bytes
->Java cache emptied: 22698 bytes
->Flash cache emptied: 3411 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2153794 bytes
%systemroot%\System32 .tmp files removed: 2833245 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3355230 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 299.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.22.3 log created on 05162011_111436

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\JuanK\Configuración local\Temp\fla15.tmp not found!
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\ZT0CD0M5\iframeCAMNXAA7.htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\ZT0CD0M5\like[8].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\ZT0CD0M5\like[9].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\ZT0CD0M5\page__pid__2246994[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\01[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\b412355c-4f20-48f1-9ec4-28303b0daeaa[1].flv moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\B5412737[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\fotos[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\google_com_co[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\iframeCAWL71L2.htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\like[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\like[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\like[3].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\like[4].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\like[5].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\tweet_button[7].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\tweet_button[8].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\X9M81MI0\xd_proxy[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\01[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\B5412737[1].htm moved successfully.
File\Folder C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\bind[1].htm not found!
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\en_espnf1_com[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\like[10].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\mail[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\mail[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\mail[4].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\pass[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\tweet_button[5].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\UP5RMUD7\tweet_button[6].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\Q16U9CPK\a977e72b-b4b1-4c43-b0ac-6ac82b9d96a7[1].flv moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\Q16U9CPK\like[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\Q16U9CPK\like[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\Q16U9CPK\like[3].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\Q16U9CPK\like[4].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\Q16U9CPK\like[5].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\fotos[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\getAds[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\getSegment[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\iframeCA1XY3S7.htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\iframeCA56AE2W.htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\index.4db30204c922cf9bad98e4b9ce5adc24[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\like[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\like[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\like[3].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\like[4].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\login[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\ViewArticle[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\KKPIXW7A\xd_proxy[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\COOA5MMX\0e8ec28f-54b9-4d69-ba45-582627641c7b[1].flv moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\COOA5MMX\iframeCAFJ3B17.htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\COOA5MMX\like[7].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\COOA5MMX\like[8].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\COOA5MMX\xd_proxy[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3UE9U3Q3\like[10].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3UE9U3Q3\like[11].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3UE9U3Q3\like[9].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3UE9U3Q3\topbuttons[1].xml moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3UE9U3Q3\videoFrame[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\7def061f-cc2c-49e3-80e6-157058d61b04[1].flv moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\ADSAdClient31[7].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\FontSiteSans-Black-webfont_1289602250[1].eot moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\FontSiteSans-BlackCd-webfont_1289602250[1].eot moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\FontSiteSans-BoldCd-webfont_1289602250[1].eot moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\FontSiteSans-Cond-webfont_1289602250[1].eot moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\like[2].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\like[3].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\Content.IE5\3JMCVNEL\tt[1].htm moved successfully.
C:\Documents and Settings\JuanK\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.

Registry entries deleted on Reboot...



Thanks.

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:32 PM

Posted 17 May 2011 - 07:35 AM

Download Combofix_N (by Subs) from the link below but rename it to ENG_LANG.exe before saving and make sure that you save it to your desktop.

Link

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


Edited by sempai, 17 May 2011 - 07:36 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 JhonnyK69

JhonnyK69
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 17 May 2011 - 03:34 PM

Hi Sempai.

Thank you very much for your kind help.

Here I post the log.

Hope it helps.

JK.

Attached Files



#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:32 PM

Posted 19 May 2011 - 07:32 AM

Please do not attach logs unless instructed.


We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

KillAll::

File::
c:\windows\system32\03.tmp 
c:\windows\system32\03.tmp 
c:\windows\system32\03.tmp 

NetSvc::
hkdrpqhyz
kcxabpz
bmcvhbyd
rjapq
yznwwpivc

Driver::
ibpvqbnjt
rmlopww
xqqxlt

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users