Hidden Files not available

[PFJ]

Greetings,

I think I've gone over board with my anti-virus software and especially BCWipe. My OS is WINXPSP2 (Dell PC). I did have a problem with malware & virus' but using an A-bomb of AVS such as AVG & Ewido I capture most of the offenders. Using the threads supplied from the RBS and other I used Spybot & Adware also - in the Safe Mode. But I think that I may have damaged my registries along the way when I wipe my Temp folders and index.dat files.

Now my desktop does not have the nice picture of the rolling hills I and just above the PROGRAMS icon nothing is showing e.g. Netscape/Email.

I tried to select 'show hidden folders' and apply but it reverts back to the 'hidden folder' state. This makes it impossible for me to access the HJT file in programms in safe mode. Sometime ago when I gave the PC a thourough cleaning with AV & Anti-malware I set a restore point. This is gone and it just has the present restore point available.

What have I erased? The PC came with the OS loaded so no CDs available. At one stage I couldn't get the PC to shut down but then I did a CHKDSK /F and though it is slow it did eventually shut down of its own accord.

Any ideas?

Best Regards

PFJ

'A little knowledge is a dangerous things' as my Granny use to say.

 

[PFJ]

Solution!!

Hi,

this problem developed on a family PC with several accounts but it was my own account which suffered the most. Whatever overkill I did was solved by deleting my own account; making sure that one of the other account has Admin status - this creates a folder with the to be deleted accounts files on desktop.
Reboot into Safe mode and carried out the usual scans as per suggested on Techspot by RBS and others. Found 'MyWebSearch' using SpyBot.
This all started when my teenage sons accounts started to display unwanted pop-ups of 'Jamester' & 'lop.com'. Some of these pop-ups contained porngraphic images with ads for viagra etc...
There is a thread within Techspot which mentions lop.com and suggests that the lop.com site will provide assistance on getting rid of this from your PC. However, when I followed the link provided I got the nasty pop-up and nothing about how to remove it!

I like the idea of 'try before you buy' with anti-virus software and of the meriad I tried I find Ewideo very handy to operate. Simplicity of use should underline AV software because it is the newbies to the internet that usually get nuked and then go looking for recovery, firewall and AV software.


Regards
PFJ

 

[RealBlackStuff]

In the long run it might be easier to get your kid(s) their own PC, at least YOUR data is much safer that way.

PS: I have a PC with Asus P2B-S SCSI mobo, 256MB RAM, Intel PIII-550, Floppy-drive, CD-ROM, 17" Dell CRT (black, almost new), keyboard, mouse, modem, Windows 2000/SP4 and MS Word. All yours for €300.- cash. €15.- extra for a network card.
I live just 2 minutes off the M50 in Dublin 18. If you are interested, PM me.

PS2: sorry I could not help you with your previous problem.

 

[PFJ]

Hi RBS,

I have a company laptop on which I keep my more sensetive data & files but thanks for the offer.

Even if the kids game on the web, the family PC will still be vunerable to hackers and malware/adware etc. I'll get the job of cleaning up the mess with the various AV on board. The firewall prohibits too much and the Norton version that came from esat BT with the router is annoying as it constantly pops-up to ask whether or not to block sites that I have already told it were OK - like its own NAV trying to access the download site!

Just one last point on this thread and the problem of the 'hidden files..' that may interest you; I couldn't set the IE cache. It went as far as 10Mb but when I selected 'Apply' it reverted to zero.

Regards

PFJ

 

[RealBlackStuff]

It wouldn't hurt to post a HJT-log here:
see How to post your Hijackthis log-files as an attachment

You never know what nasties you have lurking...

 

[PFJ]

Hi,

here is my Hijackthis log as suggested by RBS. When I viewed the two user account folders that I deleted and were suppose to be placed on the Admins desktop this evening there were no files contained within. I didn't mind my junk by my teenage son was not please to loose his music files which cost to download!

Again, something strange is happening to my new account. Could it be that all the AV and anti-malware I have is unable to catch & remove the source of the problem or is it that one of the AV programs is messing with my settings?

Anyway, perhaps the HJT log will throw some light on the problem.

I thank you in advance for viewing and a reply will warrant a prayer.

 

[RealBlackStuff]

You still have a few trojans!
And you have a piece of useless rubbish: PCTools Spyware Doctor. Get rid of it.

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
64 tray.exe
ERTYDF.exe
barint.exe
dmlwb.exe

Next, click on Start/Run and type in (followed by press Enter):
regsvr32 /u C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
regsvr32 /u C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (Spyware Doctor = RUBBISH)
C:\Documents and Settings\All Users\Application Data\bind debug sect dale\64 tray.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Sectdalebashcool] C:\Documents and Settings\All Users\Application Data\bind debug sect dale\64 tray.exe
O4 - HKLM\..\Run: [lpt] ERTYDF.exe
O4 - HKLM\..\Run: [DCC_send] barint.exe
O4 - HKLM\..\Run: [dmlwb.exe] C:\WINDOWS\System32\dmlwb.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
Fix ALL your O16 - DPF: entries
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

 

[PFJ]

Hi RBS,

thanks for that...I'll have a go later on...after the gym and several of the best pints in Gorey.

Regards

PFJ

 

[PFJ]

Hi all,

I've really done it this time...and I take full responsibility. After checking the items in the HJT file as suggested by RBS I went further then I should have in cleaning out temp files and index.dat files and the end result is my keyboard/keystrokes are inactive. I cannot type chkdsk /f into the RUN menu. The 'blue screen of death' appeared 3 times and in safe mode I cannot now access the hidden files.

When I select RUN and then a previously typed chkdsk /f and the DOS prompt appears it states the following "The type of file system is NTFS. Cannot lock current drive..Chkdsk cannot run because the volume is in use by another process..." It then asks wiould I like the to schedule this volume to be checked the next time the system restatrs? (Y/N) But I cannot get Y to appear for reasons stated above.

I do actually have a XP CD but when I insert this to see it there are 'Install/Repair/Modify' options it stops to tell me that the XP on the CD (XP 1a) is older than the one installed 'Build 2600 xpsp_sp2_gdr.050301-1519:Service Pack 1.'

A clue might be that before I lost the use if the keyboard (except the number lock causes the Num Lock LED to switch on/off) when I type an email address the @ was " and visa versa.

When I ran checks for spyware/malware etc Spybot found 'Pup' & 'Trojan.Delf' and Ewido found 29 infections. It's as if whatever I did unlessed the hounds of hell and the four horsemen of the apocalypse of virus'.

Please advise

Regards

PFJ

 

[RealBlackStuff]

Get a mate to make you a new XP-CD with SP2 slipstreamed
http://www.theeldergeek.com/slipstreamed_xpsp2_cd.htm
Then do a repair as described in the Windows forum

 

[PFJ]

Hi RBS 'n' all TS,

I wrote a diatribe on the problem this morning and posted it but now I see that it never made it to the forum.

Your last suggestion may not be possible, as I have no control over the keyboard in any mode. I've ruled the keyboard out i.e. driver and hardware as it works in BIOS <>^ & enter/esc. I have a laptop (XP) on hand to assist if necessary.

I deleted SP2 and now it will accept my XP Home Edition but because my keyboard is not working I cannot enter the licence code.

I fear that I may have some bug still lurking within because I when I tried to search techspot for further information I got beep.com (or something pornlike). I have also used RegistryFix which showed 366 errors which I cleaned up.

The following is a list of the strange happening on the family PC:-

(1) blank page on 'user accounts' no access.
(2) external drives not present e.g. USB stick & Zip drive.
(3) no access to windowsupdate but can access any other site (even though I've place it in my 'allow sites' list)
(4) PC freezes - especially during web searches
(5) I have limited access to function because the keyboard is not working but I can work around some things by using the 'insert'>'symbol'>copy & paste function in Word

Really stumped now - any more ideas or suggestion? I wouldn’t even mind a format at this stage but without a keyboard it could be awkward.

Regards

PFJ

 

[PFJ]

Hidden Files not available Reply to Thread

Hi RBShere is my Hijackthis logPlease advise

Regards

PFJ

 

[RealBlackStuff]

See if you can borrow another keyboard or a USB-keyboard.
Your PS/2 port might be 'shot'.

You run Symantec/Norton, AVG, Jetico, Spybot, MS Antispyware, Ewido.
That looks like a lethal combination.
Get rid COMPLETELY of all that Symantec/Norton bloatware, resource-hogging, user-unfriendly, in-your-face crap!
(I could fill pages with more adjectives, but I assume you get the point!)
The others together do a more than adequate job!

Get rid of al those toolbars you have. These may look pretty, and have some nifty functionality, but they open the floodgates wide for any unwanted intruder, particularly those of the messenger-style communications. Half the time you don't know WHO made them or WHAT ELSE is in them.
Firefox includes most of these (browser toolbar) extras already, so there's no need for that extra IE ballast!
And STOP using that bleedin' Internet Explorer as well, other than for Windoze updates!

Physically disconnect your PC from the internet (Dialup-modemcable and/or RJ45 Network cable).

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
C:\Program Files\ICQToolbar\toolbaru.dll
All Norton/Symantec programs
All Lifeupdate crap (+ anything else that belongs to Symantec as well)
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Free Download Manager\dlall.htm

Next, reboot in Safe Mode. <<<== I M P O R T A N T

Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
Realdownload.exe (this is a rogue, I think, being in the wrong directory!!)

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://jump-subs.ea.com/SubscribeEntry.jsp?prodID=EASO2003&site=nh03&iPath=3&lkey=&
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm077
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) <<==Spyware Dr leftover
O9 - Extra button: (no name) -{578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)

I doubt very much that this is your ISP: Inhoster, ul.Antonova 5, Kiev, 03186, Ukraine!
Fix all these O17 immediately!
O17 - HKLM\System\CCS\Services\Tcpip\..\{09610E36-75CD-4721-B6DE-104158C9FD0F}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D1BC7B4-43C8-4FC0-A21B-AA9CFB235721}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFF3129-FFA4-4517-B8A3-8AA3AAD37A03}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3541CB3-45FF-44B3-B08A-8959446D9920}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2ACB621-CD3E-4531-9C1D-C1374D0622B0}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{F87CF780-BCCC-4E76-A95E-5D8DCAB529DD}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{09610E36-75CD-4721-B6DE-104158C9FD0F}: NameServer = 195.95.218.18,85.255.112.11

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

 

[PFJ]

thanks again RBS,

as you can see my last post was from1 am in the morning when I gave up. I couldn't type except using my clever word insert symbol and copy 'N' paste method.

The keyboard work enough to select the safe mode and enter for it to start - so hardware wise I pretty sure that its o.k.

These are just a few of the threats that were found by running ewido:
TrojanDownloader.Swizzer.bo
Trojan.DNSChanger.u
Trojan.Ants
TrojanDropper.Small.abs
TrojanDropper.Small.ri
CookieLiveperson
//mozilla.firefoxProfiles/opyhy294
Cookie.2o7
___________________
Spyware caught: Ghostsurf
____________________
AVG syas that the following has changed:
user32.dll
shell32.dll
ntoskrnl.exe
______________________________
I have remove my sons messager & other rubbish as you asked prior to the scans.
I have cleaned out all temp/temporary files/cookies & some large .DAT files in local settings on each account.
But again I may have deleted too much as I've now lost Admin account!

It's a pity that one ork XP PC cannot give the breath of life to the other and restore at the push of a button - but I suppose that's what 'system restore' is for - before I banjacked that.

Regards

PFJ

 

[RealBlackStuff]

Make a backup of your user-files you want to keep.

If you have another PC that has room for an extra HD, take the infected HD out and put it in the other one.
Then dis-infect from that other PC, but it would be better to fully format and install from scratch.

 

[PFJ]

At this stage I wouldn't mind reformatting and re-installing the XP. I even got as far entering the licence code but because the keyboard doesn't work I have no way of entering the codes. control>alt>delete doesn't work either.
Do you think that I should attempt anything without first getting the keyboard back on track?

The problem with the Admin account was solved during lunch time - a prompt appeared 'USER ENVIROMENT': Windows cannot load the locally stored profile. Possible cause...' It then created a temporary account.

I ran ewido again before dealing with your suggestions for the HJT file and yet another instance of intrusion: Spyware Cookie.Atdmt in Mozilla13:C\Documents & Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\3vjjuacg.default\cookies.txt

Again, thank you for you help so far.

Regards

PFJ

 

[RealBlackStuff]

What are the exact specs of that PC?
Brand, model, how is keyboard/mouse attached (PS/2 or USB)
Any spare PCs in the house, other than laptop?
You have a hardware problem that needs to be sorted before you (can) tackle the infections.
From your log I'd say you have some PoS Dell. Still under warranty?

 

[PFJ]

I've tried running the OS CD by pressing F12 and then enter but because something is stopping the keyboard from operating I can't press 'r' for restore or repair.

I have another idea - I think that I will try and use a PS/2 to USB adaptor. MAybe USB port will recognise the keyboard.

As for my PC I will attach some files and that you may recognise & understand.

Regards

PFJ

 

[RealBlackStuff]

As I thought, a Dell (Dimension 8300).
You're lucky in that you still have a parallel port and 2 PS/2 ports.
Currently Dell has managed to not even put these on the mobo anymore, CRAP!

Make sure that keyboard and mouse are inserted properly in the correct port.
Borrow a keyboard from a neighbour.
You can also try a PS/2-to-USB adapter as seen here: http://www.kinesis-ergo.com/usb-adap.htm

If you have a floppy drive, go to www.bootdisk.com and get their W98SE file to make a W98-bootdisk. Try to boot from it and see if the keyboard then works.
You'll see a prompt like A:\> and just type in dir and hit enter.

 

[PFJ]

Hi RBS,

as said - I will try the USB option or buy that wireless/bluetooth keyboard I've been longing for. One that doesn't make that irritating noise these cheap Dells _ Jees, it really irritates me; especially when my colleague types on his in the quietness of our technical department. I'm determined to acquire of silencer for him - no not a gun with a silencer! I have many resources at my disposal in regards of hardware but not armaments.

_________________________________________________________

Eventually, I couldn't even get the PC to go into safe mode. It displayed a blue screen stating 'A problem has been detcted and windows has been shut down to prevent damage to your computer. If this is the first time you've sen this STOP ERROR SCREEN...STOP:0X0000007B(0XF8C8D63C,0XC0000034,0X000000,0X000000).'

So I got an adaptor which allowed the two PS/2 device i.e. the keyboard & mouse to plug into the USB socket. Now I had keyboard control at last. I inserted the XP CD and followed the instructions. The only part I wasn't too sure about was when it asked where to load the OS. FAT was hihlighted but it had only 39MB available so I opted for the NTFS file system instead.

Now all is right with the world.

A special thanks to RBS for his contributions.

Regards

PFJ

 

[RealBlackStuff]

If all else fails, you can always take a trip to South Dublin with your PC to get rid of it (by giving it to me for 'slaughtering').

For your other (noise) problem, we have 'friends' in the North...

 

[PFJ]

Good one RBS

A couple of more hours hard graffing and I'm off to the fairways - albeit that the weather is not great. It'll be tomorrow before I tackle the Dell again.

Oh by the way - I can access hidden files now when scanning and running inEwido safe mode affords me the choice to shut down running processes as I cannot do the usual way i.e. CNT>ALT>DEL.

Regards

PFJ