Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google not working after a malware attack


  • This topic is locked This topic is locked
15 replies to this topic

#1 ItielMaN

ItielMaN

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 26 June 2013 - 04:17 AM

Hi there,

 

Recently I had some malwares that I removed but apperantly not totally.

Google isn't working. ANY google site.

Same if I try to ping it.

On the same network on another PC, google works fine.

TDSSKiller claims ACPI.sys is forged. Didn't remove it. ACPI - detected ForgedFile.Multi.Generic (1)

 

Note: There are some IP's and DNS's configured in the settings, and these are OK.

 

DDS and attach are linked here.

 

Any help would be appriciated.

 

* And yeah, I know my PC hadn't an antivirus for a long, long time.. Will do after the issue will be resolved.

 

Edit: Somehow I noticed Google Chrome was installed and google works normally from there. I've reset Internet Explorer and the issue remains.

 

Edit #2: Ah and before I even saw this forum (I've read the instruction not to run it), I ran Combofix so..

Here's the log:

ComboFix 13-06-25.01 - elad 06/26/2013  10:21:45.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1255.972.1037.18.2009.1482 [GMT 3:00]
Running from: c:\documents and settings\elad\שולחן העבודה\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\settings.bin
c:\windows\EventSystem.log
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_5790
-------\Service_5790
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-26 to 2013-06-26  )))))))))))))))))))))))))))))))
.
.
2013-05-29 12:45 . 2013-05-29 12:46    --------    d-----w-    C:\שי גיל
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-04 11:50 . 2013-01-29 07:39    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8fe28f46-37ad-47b2-8258-34c128636ace}"= "mscoree.dll" [2009-11-06 297808]
.
[HKEY_CLASSES_ROOT\clsid\{8fe28f46-37ad-47b2-8258-34c128636ace}]
[HKEY_CLASSES_ROOT\Agat.AGForms.Toolbar.AGFormsToolbar]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-12 15:41    92072    ----a-w-    c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-06-01 08:14    173592    ----a-r-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-06-01 08:14    141336    ----a-r-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 10:22    63048    ----a-w-    c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-06-01 08:14    142872    ----a-r-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-21 06:01    17881600    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"LMIGuardianSvc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [27/01/2010 13:22 12856]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [10/01/2012 14:25 2849120]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [07/09/2011 16:48 59776]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [04/08/2010 15:49 1684736]
S3 GV600S;GV600S;c:\windows\system32\drivers\GV600S.sys [04/08/2010 16:08 72225]
S3 GV800V3;GV800V3;c:\windows\system32\drivers\GV800V3.sys [05/08/2010 15:53 59395]
S3 STCFUx32;STC DFU Driver;c:\windows\system32\drivers\STCFUx32.sys [13/11/2008 16:10 7680]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [07/11/2010 10:55 374704]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-24 12:41]
.
2013-06-26 c:\windows\Tasks\User_Feed_Synchronization-{62891610-55EC-416E-B5C1-5ADEE73EB901}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.il/
mStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10039&st=12&barid={7EA74B49-B206-44F6-A9BE-7A4439DC37AF}
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{789F087C-588B-4019-8C84-A3CFA26F519C}: NameServer = 8.8.8.8,192.168.1.105,192.168.1.254
DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} - hxxps://join.bankhapoalim.co.il/reg/pk/cabs/arpkcom.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SweetIM - c:\program files\SweetIM\Messenger\SweetIM.exe
MSConfigStartUp-Sweetpacks Communicator - c:\program files\SweetIM\Communicator\SweetPacksUpdateManager.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-כלכלית 1.1 - c:\documents and settings\All Users\שולחן העבודה\כלכלית\un_Calcalit 2.5_25937.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-26 10:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2928)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer\Version7\tv_w32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\ARX\ARX CryptoKit\utils\ARcltsrv.exe
c:\program files\ARX\ARX CryptoKit\utils\arcltsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
c:\program files\teamviewer\version7\TeamViewer_Desktop.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2013-06-26  10:29:20 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-26 07:29
ComboFix2.txt  2011-08-31 07:55
.
Pre-Run: 113,208,635,392 bytes free
Post-Run: 113,439,825,920 bytes free
.
- - End Of File - - 5C0DC6699C87B95EE01FC6633DB21407
8F558EB6672622401DA993E1E865C861
 

Attached Files


Edited by ItielMaN, 26 June 2013 - 01:59 PM.


BC AdBot (Login to Remove)

 


#2 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 26 June 2013 - 03:43 PM

Damn 4 pages+?!

Wow this forum is busy..

 

Bump.

 

BTW forgot to mention- I'm having also adverts pop-ups.


Edited by ItielMaN, 26 June 2013 - 03:43 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:31 AM

Posted 30 June 2013 - 08:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • ===

    thisisujrt.gif Please download
    Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • ===

    Please paste the logs in your next reply, DO NOT ATTACH THEM
    Let me know what problem persists.


#4 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 30 June 2013 - 02:58 PM

Thanks for the reply nasdaq!

 

First of all, I'd like to update that the main problem was solved by Malwarebytes Anti Rootkit.

ACPI.sys was infected & repaired.

BUT I still have one issue I'm worried about.

In My Computer, I can't see "User's Documents" and "Shared Documents"

 

RogueKiller Log:

RogueKiller V8.6.1 [Jun 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : elad [Admin rights]
Mode : Remove -- Date : 06/30/2013 22:29:16
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[SERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : 46972317 (C:\WINDOWS\system32\DRIVERS\46972317.sys [7]) -> DELETED
[SERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 46972317 (C:\WINDOWS\system32\DRIVERS\46972317.sys [7]) -> [0x2] ‏‏למערכת אין אפשרות לאתר את הקובץ שצוין.
[SERVICE][ROGUE ST] HKLM\[...]\CS002\[...]\Services : 46972317 (C:\WINDOWS\system32\DRIVERS\46972317.sys [7]) -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ SECU] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD253GI +++++
--- User ---
[MBR] dd3848e9319cf96aabd3c195d53c0d92
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 120001 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 245762370 | Size: 118471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_06302013_222916.txt >>
RKreport[0]_S_06302013_222437.txt


 

AdwCleaner Log:

# AdwCleaner v2.303 - Logfile created 06/30/2013 at 22:31:54
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : elad - ALICE-MIRI
# Boot Mode : Normal
# Running from : C:\Documents and Settings\elad\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\WINDOWS\system32\conduitEngine.tmp
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Documents and Settings\Miri\Local Settings\Application Data\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1425416
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{953AA732-9AFB-49C9-84A4-7F96CA0A08DA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A0C9DF2B-89B5-4483-8983-18A68200F1B4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{EA8FA6BE-29BE-4AF2-9352-841F83215EB0}
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Documents and Settings\elad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1934 octets] - [30/06/2013 22:31:54]

########## EOF - C:\AdwCleaner[S1].txt - [1994 octets] ##########
 

 

JRT did show up but it wasn't saved. I did see only 2-3 entries removed.

I think it happened because the other CMD window said "'This' is not recognized as an internal or external command" bla bla.

 

 

Now about Security Check.. that was funny. I got a notepad saying that "UNSUPPORTED OPERATING SYSTEM! ABORTED!". And my AVAST was disabled at the time.

Say what now?

 

Oh and I've searched the web for some time about the My Documents issue and everything didn't work.

 

 

Waiting for some instructions.



#5 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 05 July 2013 - 08:54 AM

Bump.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:31 AM

Posted 05 July 2013 - 10:35 AM

Sorry about this delay.

Now about Security Check.. that was funny. I got a notepad saying that "UNSUPPORTED OPERATING SYSTEM! ABORTED!". And my AVAST was disabled at the time.

Restart the computer if not already done since your post. Run the Securitycheck program as an administrator.
If it does work please let me know. I have already informed the owner of the tool on this issue.
===

To make your files visible again, please download the following program to your desktop: Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take sometime, please let if finish.

Keep me posted.
=====

#7 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 06 July 2013 - 01:55 PM

1. Currently I don't have access to the PC, I'll probably do it tomorrow.

2. The Windows is Windows XP so no need to run as admin (the user is admin).

3. My files are visable, but in My Computer I can't see "User's Documents" and "Shared Documents". It's under "Files stored under this computer". Like this picture.

 

Thanks.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:31 AM

Posted 07 July 2013 - 07:03 AM

Thanks, run the Unhide tool and will take it from there.

#9 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 08 July 2013 - 09:24 AM

Done, but I see no log in the desktop.

And I did run it from there.

 

Issue still occurs.

 

Thanks.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:31 AM

Posted 08 July 2013 - 10:16 AM

Lets see if you have some restrictions.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :reg
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#11 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 08 July 2013 - 10:22 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:17 on 08/07/2013 by elad
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ServerAdminUI"= 0x0000000000 (0)
"Hidden"= 0x0000000002 (2)
"ShowCompColor"= 0x0000000001 (1)
"HideFileExt"= 0x0000000001 (1)
"DontPrettyPath"= 0x0000000000 (0)
"ShowInfoTip"= 0x0000000001 (1)
"HideIcons"= 0x0000000000 (0)
"MapNetDrvBtn"= 0x0000000000 (0)
"WebView"= 0x0000000001 (1)
"Filter"= 0x0000000000 (0)
"SuperHidden"= 0x0000000000 (0)
"SeparateProcess"= 0x0000000000 (0)
"ListviewAlphaSelect"= 0x0000000001 (1)
"ListviewShadow"= 0x0000000001 (1)
"ListviewWatermark"= 0x0000000001 (1)
"TaskbarAnimations"= 0x0000000001 (1)
"StartMenuInit"= 0x0000000002 (2)
"StartButtonBalloonTip"= 0x0000000002 (2)
"Start_ShowNetPlaces_ShouldShow"= 0x0000000041 (65)
"DisableThumbnailCache"= 0x0000000000 (0)
"ShowSuperHidden"= 0x0000000000 (0)
"WebViewBarricade"= 0x0000000000 (0)
"FolderContentsInfoTip"= 0x0000000001 (1)
"FriendlyTree"= 0x0000000001 (1)
"ClassicViewState"= 0x0000000000 (0)
"NoNetCrawling"= 0x0000000000 (0)
"PersistBrowsers"= 0x0000000000 (0)
 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"Type"="checkbox"
"Text"="@shell32.dll,-30508"
"WarningIfNotDefault"="@shell32.dll,-28964"
"HKeyRoot"= 0x0080000001 (-2147483647)
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"ValueName"="ShowSuperHidden"
"CheckedValue"= 0x0000000000 (0)
"UncheckedValue"= 0x0000000001 (1)
"DefaultValue"= 0x0000000000 (0)
"HelpID"="shell.hlp#51103"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy]
 
 
-= EOF =-

 

 

Thanks for the quick reply!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:31 AM

Posted 08 July 2013 - 12:37 PM


I would also like the results of these registry entries.
Please execute this in the SystemLookUp.

:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN


#13 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 08 July 2013 - 01:41 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 21:37 on 08/07/2013 by elad
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"= 0x0000000001 (1)
"ValueName"="Hidden"
"DefaultValue"= 0x0000000002 (2)
"HKeyRoot"= 0x0080000001 (-2147483647)
"HelpID"="shell.hlp#51105"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"= 0x0000000002 (2)
"ValueName"="Hidden"
"DefaultValue"= 0x0000000002 (2)
"HKeyRoot"= 0x0080000001 (-2147483647)
"HelpID"="shell.hlp#51104"


-= EOF =-



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:31 AM

Posted 09 July 2013 - 07:20 AM

To me the registry settings are correct.

I can only suggest you start a new topic in the Windows XP forum
http://www.bleepingcomputer.com/forums/forum56.html

and see if some XP expert can help you.

Possibly rebuilding the registry setting by using a good XP computer and exporting the keys.

I do not have an XP computer to work with.
===

When all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
===

#15 ItielMaN

ItielMaN
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 09 July 2013 - 08:11 AM

Thanks for the help! :)

I'll copy this page's URL to a new thread I'll post in the Windows XP Forum.

 

You can lock here.

 

Thanks again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users