Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cant see hidden file [RESOLVED]


  • This topic is locked This topic is locked

#31
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
umm i dont have my xp cd, we left it in taiwan when we moved here to brisbane
  • 0

Advertisements


#32
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
That is no problem, you can do this step with a borrowed one, it doesn't need to be the exact CD, as long as it is the correct version & Service Pack 2
:)
  • 0

#33
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
oh right... i dont kno who to borrow off. i'll make a few calls let you know by tomorrow
  • 0

#34
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
i cant get a hold of one... is there any other way?


allen
  • 0

#35
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi allenchen,

Is your PC a "pre built" brand model from a supplier like Dell, HP etc?
If so it may well have the XP installation files loaded on the H'drive.
Can you do a check to see if you have a folder called I386.
Use the Search command:
  • Click Start\Search
  • in the left pane click All files and folders.
  • Type I386into the File name box.
  • Click More advanced options & tick
    • Search system folders
    • Search hidden files and folders
    • Search subfolders
  • Click Search

Your search results will probably show a number of these folders.
The one you are looking for will be 400+ Mb in size, with sub-folders called
ASMS, SYSTEM32, COMPDATA, LANG, amongst others.

If you find such a folder, run the SFC command from the previous post & if/when asked for the CD, point the program to the I386 folder found.

Tell me how you get on.

Cheers,

sage5
  • 0

#36
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
hi sage5

sorry for the late reply

this comp was custom built by a friend, but he's not here anymore
:)
i cant find I386
  • 0

#37
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi allenchen,

First make another backup of your registry using ERUNT, as before.

When that is done:

Make & run a new Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"WebViewBarricade"=dword:00000000
"ShowSuperHidden"=dword:00000001
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry

See if that fixes it. :)

Edited by sage5, 03 April 2008 - 06:15 PM.

  • 0

#38
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
hi sage 5
i did as u said but it still doesnt work, i still cant choose the see hidden files options.

allen
  • 0

#39
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi allenchen,

Please download the following & save to your Desktop:
ComboFix

Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#40
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
OK HERE is log.txt

ComboFix 08-04-03.5 - Allen 2008-04-04 22:44:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.550 [GMT 10:00]
執行位置?: C:\Documents and Settings\Allen\桌面\ComboFix.exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE

.
(((((((((((((((((((((((((((( 2008-03-04 - 2008-04-04 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-03-29 22:47 . 2008-03-29 22:47 268 --ah----- C:\sqmdata01.sqm
2008-03-29 22:47 . 2008-03-29 22:47 244 --ah----- C:\sqmnoopt01.sqm
2008-03-29 09:41 . 2008-03-29 09:41 268 --ah----- C:\sqmdata00.sqm
2008-03-29 09:41 . 2008-03-29 09:41 244 --ah----- C:\sqmnoopt00.sqm
2008-03-29 09:30 . 2008-03-29 09:30 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Comodo
2008-03-25 22:35 . 2008-03-25 22:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-25 22:35 . 2008-03-25 22:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-25 22:35 . 2008-03-25 22:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-25 22:34 . 2008-03-25 22:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-25 21:49 . 2008-03-25 21:49 <DIR> d-------- C:\Documents and Settings\Agape\Application Data\SUPERAntiSpyware.com
2008-03-23 21:52 . 2008-03-23 21:52 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-03-23 21:52 . 2008-03-28 11:12 85,752 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-23 21:52 . 2008-03-23 21:52 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-23 12:14 . 2008-03-23 12:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 12:14 . 2008-03-23 12:14 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\Malwarebytes
2008-03-23 12:14 . 2008-03-23 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-23 11:53 . 2008-03-23 11:53 <DIR> d-------- C:\_OTMoveIt
2008-03-21 22:29 . 2008-03-23 21:52 <DIR> d-------- C:\Program Files\COMODO
2008-03-19 16:28 . 2008-03-19 16:31 <DIR> d-------- C:\RegSearch
2008-03-19 16:08 . 2008-03-19 16:08 <DIR> d-------- C:\Program Files\ERUNT
2008-03-18 17:38 . 2008-03-25 15:46 <DIR> d-------- C:\Documents and Settings\Agape\Application Data\Comodo
2008-03-17 10:59 . 2008-03-17 10:59 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\Uniblue
2008-03-17 09:51 . 2008-03-23 21:52 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\Comodo
2008-03-17 09:51 . 2008-03-23 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-17 09:48 . 2007-08-23 16:52 211 --a------ C:\boot.ini.comodofirewall
2008-03-16 22:01 . 2008-03-16 22:01 <DIR> d-------- C:\Deckard
2008-03-15 15:43 . 2008-03-15 15:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 07:53 . 2008-03-12 07:53 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-11 17:09 . 2008-03-11 17:09 <DIR> d-------- C:\Program Files\Avira
2008-03-11 17:09 . 2008-03-11 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-11 15:23 . 2008-03-11 15:31 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-03-11 15:23 . 2008-03-11 15:35 76,196 --a------ C:\WINDOWS\War3Unin.dat
2008-03-11 15:23 . 2008-03-11 15:31 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-11 12:51 . 2008-03-28 01:32 <DIR> d-------- C:\Program Files\Warcraft III
2008-03-11 12:43 . 2008-03-11 12:49 <DIR> d-------- C:\Warcraft III
2008-03-05 18:12 . 2008-03-05 18:12 <DIR> d-------- C:\Documents and Settings\Agape\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 04:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 01:21 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-25 11:51 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-18 11:53 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-03-15 05:43 --------- d-----w C:\Documents and Settings\Allen\Application Data\SUPERAntiSpyware.com
2008-03-12 01:29 --------- d-----w C:\Program Files\Yahoo!
2008-03-11 21:53 --------- d-----w C:\Program Files\Common Files\Real
2008-03-11 07:20 --------- d-----w C:\Program Files\Java
2008-03-07 02:05 --------- d-----w C:\Documents and Settings\Sarah\Application Data\Skype
2008-02-29 09:49 --------- d-----w C:\Documents and Settings\Agape\Application Data\DivX
2008-02-29 04:26 --------- d-----w C:\Documents and Settings\Allen\Application Data\DivX
2008-02-28 08:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-28 07:15 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-28 07:15 --------- d-----w C:\Program Files\Windows Live
2008-02-28 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-26 05:59 --------- d-----w C:\Program Files\DivX
2008-02-26 05:45 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-02-20 07:51 --------- d-----w C:\Documents and Settings\Allen\Application Data\Skype
2008-02-20 06:00 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-18 10:00 --------- d-----w C:\Program Files\The All-Seeing Eye
2008-02-10 00:07 --------- d-----w C:\Documents and Settings\Allen\Application Data\Hamachi
2008-02-06 23:41 --------- d-----w C:\Documents and Settings\Allen\Application Data\Command & Conquer 3 Tiberium Wars
2008-02-06 23:04 --------- d-----w C:\Program Files\Electronic Arts
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2004-10-14 02:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 22:00 208952]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:33 57344]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"tppoll"="C:\Program Files\Topro\tppoll.exe" [2006-09-10 19:03 24576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-11 17:33 249896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 07:53 180269]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-23 21:52 1503488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

C:\Documents and Settings\Allen\「開始」功能表\程式集\啟動\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\system32\\tlntsvr.exe"=
"C:\\WINDOWS\\system32\\tftp.exe"=
"E:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-28 11:12]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-23 21:52]
S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys [2006-10-21 14:37]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99ed47de-51d2-11dc-9684-00138f393f2a}]
\shell\verb1\command - desktop.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 22:49:22
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
完成時間?: 2008-04-04 22:50:24
ComboFix-quarantined-files.txt 2008-04-04 12:50:06
13 個目錄 45,992,787,968 位元組可用
17 個目錄 45,980,143,616 位元組可用
.
2008-01-28 22:57:27 --- E O F ---



Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 10:54:21, on 2008/4/4
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Topro\tppoll.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\Firewall\cfp.exe
E:\hijackthis\HijackThis.exe

O1 - Hosts: 220.132.63.173 auth.lineage2.com.tw
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [tppoll] C:\Program Files\Topro\tppoll.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到AMV視頻轉換工具... - E:\amv\AMVConverter\grab.html
O8 - Extra context menu item: 添加到Media Manager工具... - E:\amv\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187860269398
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188994942187
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8097 bytes
  • 0

Advertisements


#41
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi allenchen,

Let's try a deeper dig with a different scanner
Please download the following & save to your Desktop:
OTScanIt.exe

Install OTScanIt:
  • Double-click on OTScanIt.exe to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Make sure that the Non Microsoft option is clicked in the Processes, Services, Drivers & Registry boxes.
  • Click Yes under Rootkit scan
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning large amounts of data so depending on your system it could take a while to complete.
  • When the scan is done Notepad will open with the report file loaded in it.
  • Save the file in the new OTScanIt folder as Scan1.txt
If the log is too large to post, use the Reply button, scroll down to the Attachments section and attach the Notepad file here.
  • 0

#42
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
ok ive uploaded it

Attached Files


  • 0

#43
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi allenchen,

Run the Fix:
  • Open the OTScanIT folder on the Desktop
  • Run OTScanIt.exe.
  • Copy all the text in the Code box below, and Paste it into the pane under the GREEN bar, titled Paste fix here and then click the green Run Fix button.


    [Unregister Dlls]
    [Win32 Services - Non-Microsoft Only]
    NY -> (idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> 
    [Registry - Non-Microsoft Only]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
    YN -> {83CEA883-896B-42D1-9054-F974E6D14FF4} -> ()
    YN -> {9311C667-E64F-4B22-8936-6DB997371CA4} -> ()
    [Files/Folders - Modified Within 30 days]
    NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE
    NY -> 6 C:\Documents and Settings\Allen\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Allen\Local Settings\Temp\*.tmp
    [CatchMe Rootkit Scan by GMER]
    NY -> C:\Documents and Settings\Agape\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{EFEF9F50-4E59-FB39-F3FC-3C8FA2B4B65B}\01\10-{EFEF9F50-4E59-FB39-F3FC-3C8FA2B4B65B}-v1-{DBFC1D07-12BE-4DBF-BCF0-01469580899B}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\01\10-{E66C996F-F9E4-E421-27D9-15B97F78D628}-v1-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\11\12-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v11-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 47388 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\11\12-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v11-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 3342 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\11\12-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v11-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 5240 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\13\13-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v13-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 28272 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\13\13-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v13-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 2046 bytes hidden from API -> 
    NY -> C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E66C996F-F9E4-E421-27D9-15B97F78D628}\13\13-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v13-{E3BF72D7-B657-4D82-BE2D-13861F1021E1}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3128 bytes hidden from API ->

  • The fix should only take a very short time.
  • When the fix is done, click the OK button in the message box.
  • Notepad will open with a log of actions taken during the fix.
    This file is saved in the Moved Files folder and is named in date_time format (mmddyyyy_hhmmss.log format, so e.g. 04012008_082852.log)
  • I need you to Post the text from that file back here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#44
allenchen

allenchen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
hi sage 5

i did as you told me to do, this was the problem that occurred OTscanit told me to reboot so i pressed ok, tried to reboot the comp but it didnt shut down for 20 min just stayed at a "logging out" screen. so i shut it down by pressing the power button for 5 secs.


here is the log

[Win32 Services - Non-Microsoft Only]
Service idsvc stopped successfully.
Unable to delete service idsvc .
File not found.
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83CEA883-896B-42D1-9054-F974E6D14FF4}\\ updated successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9311C667-E64F-4B22-8936-6DB997371CA4}\\ updated successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\PSEXESVC.EXE moved successfully.
File delete failed. C:\Documents and Settings\Allen\Local Settings\Temp\~DF939C.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Allen\Local Settings\Temp\~DF93C1.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Allen\Local Settings\Temp\~DFAB96.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Allen\Local Settings\Temp\~DFABBB.tmp scheduled to be deleted on reboot.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.9.0 fix logfile created on 04112008_231902
  • 0

#45
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi allenchen,


Re Run OTScanIt:
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Make sure that the Non Microsoft option is clicked in the following Headings:
    • Processes
    • Services
    • Drivers
    • Registry
  • Click Yes under Rootkit scan
  • Make sure that you tick these in the Additional Scans box
    • Reg - BotCheck
    • Reg - Security Settings
  • Click 60 days in the "Files Created In" & Files "Modified In" boxes
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning large amounts of data so depending on your system it could take a while to complete.
  • When the scan is done Notepad will open with the report file loaded in it.
  • Save the file in the new OTScanIt folder as Scan1.txt
If the log is too large to post, use the Reply button, scroll down to the Attachments section and attach the Notepad file here.


Cheers,

sage5
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP