Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

""WindowsSafemode" Malware Virus - removal


  • Please log in to reply

#31
Ihatemalwaretoo

Ihatemalwaretoo

    Member

  • Member
  • PipPip
  • 22 posts
Hi Ron,

Apologies for the late reply I have been out of the country recently.

I have attached a .jpg which hopefully makes the problem a little clearer. Before the problem I had a folder called "Company" when I look in My Documents it is completely empty, however when I try and save a folder with the name Company I get the attached message as if the folder already exists. I currently have settings to display all hidden folders so it is as if there is something a little more mischievious going on here.

I also have the same problems with My Programs, no Programs are showing up in the folder too, but I am able to access all the Microsoft office applications like .xls etc When I go to the Start button and look up My Programs I only see as per attached.

Thanks ever so much,
Steve

Attached Thumbnails

  • Slide1.JPG
  • Slide1.JPG

  • 0

Similar Topics: ""WindowsSafemode" Malware Virus - removal     x


#32
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Copy the text in the code box

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt"=dword:00000000


Open notepad (Start, Run, notepad, OK) and edit, paste or Ctrl + v to paste the text into the box. File, Save As, (to your desktop) "fix.reg" OK
(Make sure you put the quotes around fix.reg or it will save it as fix.reg.txt which won't work.) Close notepad.

Double-click on fix.reg and allow it to merge into the registry.

Now open Explorer and look in My Documents. Do you see a Company file or folder there now? Is there a blank line at the top of the list in the right pane? Right click on the blank line and see if you can get a property window to come up. If that works then Customize then Change Icon and select the picture that looks like a Folder and Apply.

If not: Start, Run, cmd, OK

cd  \
(prompt should change to show you are in C:\ )

attrib  -r  -s  -h  /s  *.*
(may take a while to run)

exit


See if you can see them now. You may find the following freeware useful:

http://www.petges.lu...download/ac.exe

Download, Save and Run ac.exe. Allow it to install. Now open Explorer and go to you My Documents folder and right click and select Change Attributes. Make sure the Hidden and System boxes are unchecked then check Recurse Folders and Apply.

Ron
  • 0

#33
Ihatemalwaretoo

Ihatemalwaretoo

    Member

  • Member
  • PipPip
  • 22 posts
Hi Ron,

Thanks for this, I am now able to see the folders so much appreciated.

After running the first section I was unable to see the folder name or the blank line as described. I then tried the cmd section and this ran within a few seconds. Downloaded the software and then right clicked on My Documents but didn't have the option to change attributes.

On doing all of the above I was able to see the hidden folders which I have now changed away from being hidden. I also have a lot more icons now under Programs however oddly I don't have MS Office and the likes of .xls .ppt etc, however I do have MS Movieplayer, I also don't have the Accessories potion where you have paint, calculator etc?

Not sure whether there is anything further that can be done to retrieve?

Thanks ever so much,
Steve
  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
I think there are still some folders hidden.
cd  \
(prompt should change to show you are in C:\)

attrib  -r  -s  -h  /s  *


This should unhide the folders.
  • 0

#35
Ihatemalwaretoo

Ihatemalwaretoo

    Member

  • Member
  • PipPip
  • 22 posts
Hi Ron,

Thanks for this I have run the script and have attached a copy of the output for your reference, unfortunately MS Office programs and MS Accessories are stil not showing up under My Programs.

I have a similar issue within MS Explorer in that my favourite folders are no longer visible howwever if I got to add a new folder to my favourites all my old/existing folders that are no longer visible are there to be seen however I can't right click on them and unhidden them if that is the problem, do you know to unhide favourite folders as possibly the same problem as the My Documents issue that you fixed?

All the very best,
Steve

Please see below full result of running the script provided:
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\scroft>cd \

C:\>attrib -r -s -h /s *
Access denied - C:\1a2ebf2986d8830d04891c\amd64\filterpipelineprintproc.dll
Access denied - C:\1a2ebf2986d8830d04891c\amd64\msxpsdrv.cat
Access denied - C:\1a2ebf2986d8830d04891c\amd64\msxpsdrv.inf
Access denied - C:\1a2ebf2986d8830d04891c\amd64\msxpsinc.gpd
Access denied - C:\1a2ebf2986d8830d04891c\amd64\msxpsinc.ppd
Access denied - C:\1a2ebf2986d8830d04891c\amd64\mxdwdrv.dll
Access denied - C:\1a2ebf2986d8830d04891c\amd64\xpssvcs.dll
Access denied - C:\1a2ebf2986d8830d04891c\i386\filterpipelineprintproc.dll
Access denied - C:\1a2ebf2986d8830d04891c\i386\msxpsdrv.cat
Access denied - C:\1a2ebf2986d8830d04891c\i386\msxpsdrv.inf
Access denied - C:\1a2ebf2986d8830d04891c\i386\msxpsinc.gpd
Access denied - C:\1a2ebf2986d8830d04891c\i386\msxpsinc.ppd
Access denied - C:\1a2ebf2986d8830d04891c\i386\mxdwdrv.dll
Access denied - C:\1a2ebf2986d8830d04891c\i386\xpssvcs.dll
Access denied - C:\Documents and Settings\All Users\Application Data\Microsoft\C
rypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_0d8e560a-1649-4af1-9310-2
57e35d85179
Access denied - C:\Documents and Settings\All Users\Application Data\Microsoft\D
r Watson\user.dmp
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
Shim.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll

Access denied - C:\WINDOWS\Prefetch\ACMAIN.EXE-0A452B4F.pf
Access denied - C:\WINDOWS\Prefetch\ACRORD32.EXE-3A1F13AE.pf
Access denied - C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-242CE4AA.pf
Access denied - C:\WINDOWS\Prefetch\AC[1].EXE-269B1BB2.pf
Access denied - C:\WINDOWS\Prefetch\AC[1].TMP-101435D3.pf
Access denied - C:\WINDOWS\Prefetch\AC[1].TMP-3438B049.pf
Access denied - C:\WINDOWS\Prefetch\ADOBEARM.EXE-2D1B11BF.pf
Access denied - C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf
Access denied - C:\WINDOWS\Prefetch\APPLEMOBILEDEVICESERVICE.EXE-1C6F3579.pf
Access denied - C:\WINDOWS\Prefetch\ATTRIB.EXE-39EAFB02.pf
Access denied - C:\WINDOWS\Prefetch\AVAST.SETUP-10F48C5B.pf
Access denied - C:\WINDOWS\Prefetch\BELKINWCUI.EXE-101D877B.pf
Access denied - C:\WINDOWS\Prefetch\BILLY.EXE-35E026FE.pf
Access denied - C:\WINDOWS\Prefetch\CDFSVC.EXE-1017C895.pf
Access denied - C:\WINDOWS\Prefetch\CHDAUDPROPSHORTCUT.EXE-1BFACDD2.pf
Access denied - C:\WINDOWS\Prefetch\CHROME_INSTALLER.EXE-1EEE1DD4.pf
Access denied - C:\WINDOWS\Prefetch\CHROME_UPDATER.EXE-32B399C5.pf
Access denied - C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Access denied - C:\WINDOWS\Prefetch\CPQSET.EXE-1E95EBCC.pf
Access denied - C:\WINDOWS\Prefetch\CS4SERVICEMANAGER.EXE-31401053.pf
Access denied - C:\WINDOWS\Prefetch\CSC.EXE-01730C27.pf
Access denied - C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf
Access denied - C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf
Access denied - C:\WINDOWS\Prefetch\CVTRES.EXE-2329DCD5.pf
Access denied - C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf
Access denied - C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf
Access denied - C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf
Access denied - C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf
Access denied - C:\WINDOWS\Prefetch\EXCEL.EXE-13B3F319.pf
Access denied - C:\WINDOWS\Prefetch\EXPAND.EXE-2490DB85.pf
Access denied - C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Access denied - C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLECRASHHANDLER.EXE-34C2B2F4.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLETOOLBARMANAGER_C8CBFED7-39E8F175.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLETOOLBARNOTIFIER.EXE-3629C61D.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATE.EXE-1E123D86.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATERSERVICE.EXE-3AB369BE.pf
Access denied - C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf
Access denied - C:\WINDOWS\Prefetch\HPQWMIEX.EXE-1982D280.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
Access denied - C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf
Access denied - C:\WINDOWS\Prefetch\IPODSERVICE.EXE-3192DE38.pf
Access denied - C:\WINDOWS\Prefetch\JAUCHECK.EXE-0CBF467B.pf
Access denied - C:\WINDOWS\Prefetch\JAVA.EXE-0C263507.pf
Access denied - C:\WINDOWS\Prefetch\JAVAW.EXE-2DC32ABC.pf
Access denied - C:\WINDOWS\Prefetch\JAVAWS.EXE-021AC9A9.pf
Access denied - C:\WINDOWS\Prefetch\JQS.EXE-1D781F77.pf
Access denied - C:\WINDOWS\Prefetch\JQSNOTIFY.EXE-24AE4A36.pf
Access denied - C:\WINDOWS\Prefetch\Layout.ini
Access denied - C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf
Access denied - C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf
Access denied - C:\WINDOWS\Prefetch\MDNSRESPONDER.EXE-02F30C6E.pf
Access denied - C:\WINDOWS\Prefetch\MMC.EXE-39071BCC.pf
Access denied - C:\WINDOWS\Prefetch\MPNOTIFY.EXE-3631A846.pf
Access denied - C:\WINDOWS\Prefetch\MSTSC.EXE-39B7CECA.pf
Access denied - C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
Access denied - C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf
Access denied - C:\WINDOWS\Prefetch\NVSVC32.EXE-1F9EED18.pf
Access denied - C:\WINDOWS\Prefetch\NWIZ.EXE-2D0F9FBC.pf
Access denied - C:\WINDOWS\Prefetch\OIS.EXE-337DD4BD.pf
Access denied - C:\WINDOWS\Prefetch\OLDMCDONALD.EXE-03B95AA7.pf
Access denied - C:\WINDOWS\Prefetch\OSE.EXE-108AC98F.pf
Access denied - C:\WINDOWS\Prefetch\PCARMDRV.EXE-23E30548.pf
Access denied - C:\WINDOWS\Prefetch\POWERPNT.EXE-2F940E7E.pf
Access denied - C:\WINDOWS\Prefetch\QLBCTRL.EXE-0325C50A.pf
Access denied - C:\WINDOWS\Prefetch\QLBPRES.EXE-34B537FB.pf
Access denied - C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf
Access denied - C:\WINDOWS\Prefetch\RADEHLPRSVC.EXE-1F4D24A9.pf
Access denied - C:\WINDOWS\Prefetch\RADESVC.EXE-1BE7DCB3.pf
Access denied - C:\WINDOWS\Prefetch\READER_SL.EXE-2B4EA1CB.pf
Access denied - C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf
Access denied - C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-1340EF7F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-16BBAF5D.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-1857459C.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC55A4F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-31610E45.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-31825FB0.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-35A483DA.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3AF10E20.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3B7FF535.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3CC59473.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-415F88EC.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-440B5CD4.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-44A0B4BC.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-483E13BB.pf
Access denied - C:\WINDOWS\Prefetch\SETUP.EXE-05BB9A14.pf
Access denied - C:\WINDOWS\Prefetch\SETUP.EXE-0ECB8EFD.pf
Access denied - C:\WINDOWS\Prefetch\SETUP.EXE-39500995.pf
Access denied - C:\WINDOWS\Prefetch\SF.BIN-16B1EB69.pf
Access denied - C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
Access denied - C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Access denied - C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
Access denied - C:\WINDOWS\Prefetch\VERSIO~2.EXE-26289E65.pf
Access denied - C:\WINDOWS\Prefetch\VMCSERVICE.EXE-24A3AE40.pf
Access denied - C:\WINDOWS\Prefetch\WINHLP32.EXE-2C18E975.pf
Access denied - C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf
Access denied - C:\WINDOWS\Prefetch\WINWORD.EXE-37F6AE09.pf
Access denied - C:\WINDOWS\Prefetch\WMIADAP.EXE-2DF425B2.pf
Access denied - C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
Access denied - C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf
Access denied - C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf
Access denied - C:\WINDOWS\system32\Macromed\Flash\Flash10n.ocx
Unable to change attribute - C:\hiberfil.sys
Unable to change attribute - C:\pagefile.sys

C:\>
C:\>
C:\>^A^A

Attached Thumbnails

  • Result.jpg

Edited by Ihatemalwaretoo, 30 March 2011 - 04:36 PM.

  • 0

#36
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
Funny that you are still not able to see the folders. The things that didn't want to change don't have anything to do with them.


Can you see the file c:\windows\system32\calc.exe ?

Ron
  • 0

#37
Ihatemalwaretoo

Ihatemalwaretoo

    Member

  • Member
  • PipPip
  • 22 posts
Yes I can see this file
  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 13,200 posts
  • MVP
I sent you a PM.

Ron
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured