Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System32 folder is missing [RESOLVED]


  • This topic is locked This topic is locked

#1
obryan20

obryan20

    Member

  • Member
  • PipPip
  • 14 posts
My system32 folder is missing. When I use RUN and type C:\WINDOWS\system32, the folder shows up but otherwise (selected Folder Options...Show hidden files and folders) it doesn't. I used the attrib command to unhide it but this was to no avail. In the system32 properties tab, the hide checkbox is grayed and cannot be unchecked. Please help.

I have followed the required cleaning steps and have scanned using Hijackthis 1.99. Here is the scan log. Thanks in advance for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 02:09:19 PM, on 11/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\Integrator.exe
C:\Temp\Ewido security suite\ewidoctrl.exe
C:\Temp\Ewido security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jason's IE
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe" /startup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by9fd.bay9.ho...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118501254866
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Temp\Ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Temp\Ewido security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by obryan20, 11 June 2005 - 01:32 PM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Then download and run RootkitRevealer from: http://www.sysintern...itRevealer.html

Let me know the results.

Regards,
  • 0

#3
obryan20

obryan20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Did what you said. Still no visible signs of the system32 folder. Hidden checkbox still greyed.

Here's the RootkitRevealer log:

HKLM\SOFTWARE\Classes\CLSID\{EF8004E0-74D6-E5E1-DE92687B6F22CED2}\{D850A7E8-A29C-FCE9-D9B4F577AA6BB789}\{16701812-CEC8-7CB2-559D4C938E3C932C}* 1/20/2005 9:28 AM 0 bytes Key name contains embedded nulls (*)
C:\RECYCLER\NPROTECT 6/24/2005 5:53 AM 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000000 6/24/2005 5:50 AM 81 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000002 6/24/2005 5:50 AM 104 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000003 6/24/2005 5:50 AM 73 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000004 6/24/2005 5:50 AM 80 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000005 6/24/2005 5:50 AM 79 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000006 6/24/2005 5:50 AM 80 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000007 6/24/2005 5:50 AM 88 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000008 6/24/2005 5:50 AM 79 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000009 6/24/2005 5:50 AM 80 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000012 6/24/2005 5:52 AM 23.38 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000013 6/24/2005 5:53 AM 7.75 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005645.html 1/22/2004 2:50 PM 25.71 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005658. 1/22/2004 2:50 PM 20.05 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005676. 1/22/2004 2:50 PM 653 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005719. 1/22/2004 2:50 PM 80.05 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005763.html 1/22/2004 2:50 PM 6.54 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005765.html 1/22/2004 2:50 PM 5.17 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005768.html 1/22/2004 2:50 PM 1.21 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005769.html 1/22/2004 2:50 PM 1.80 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005776. 1/22/2004 2:50 PM 1.85 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005785. 1/22/2004 2:50 PM 1.52 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005830.html 1/22/2004 2:50 PM 1.02 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005860.html 1/22/2004 2:50 PM 7.22 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005861.html 1/22/2004 2:50 PM 2.94 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005862. 1/22/2004 2:50 PM 6.72 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005864.html 1/22/2004 2:50 PM 9.96 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005865.html 1/22/2004 2:50 PM 8.39 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005870. 1/22/2004 2:50 PM 1.84 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005875. 1/22/2004 2:50 PM 1.40 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005878. 1/22/2004 2:50 PM 2.26 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005879. 1/22/2004 2:50 PM 1.34 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005882. 1/22/2004 2:50 PM 2.57 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005883. 1/22/2004 2:50 PM 1.40 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005890. 1/22/2004 2:50 PM 2.64 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005891. 1/22/2004 2:50 PM 1.53 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005904. 1/22/2004 2:50 PM 1.96 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005905. 1/22/2004 2:50 PM 1.26 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00005914. 1/22/2004 2:50 PM 489 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006037. 21 2004 1/21/2004 11:07 PM 36.94 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006176. 1/22/2004 2:49 PM 1.47 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006402. 1/22/2004 2:50 PM 75.50 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006409. 1/22/2004 2:50 PM 77.50 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006446. 1/22/2004 2:50 PM 53.50 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006463. 1/22/2004 2:50 PM 78.16 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006495. 1/22/2004 2:50 PM 278.42 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00006498. 1/22/2004 2:50 PM 47.50 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007152. 1/22/2004 2:50 PM 104.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007183. 1/22/2004 2:50 PM 14.23 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007203. 1/22/2004 2:50 PM 1.83 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007205. 1/22/2004 2:50 PM 1.83 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007224. 1/22/2004 2:50 PM 751.50 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007225. 1/22/2004 2:50 PM 668.15 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007266.html 1/22/2004 2:50 PM 1.45 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007267. 1/22/2004 2:50 PM 128 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00007268. 1/22/2004 2:50 PM 133 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00009643.Live 10/28/2004 3:33 AM 804 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00010155. 1/21/2004 1:43 AM 145 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00010172. 1/21/2004 1:43 AM 11.47 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00010400.html 1/22/2004 2:50 PM 3.88 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00010408.html 1/22/2004 2:50 PM 4.97 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\NPROTECT.LOG 6/24/2005 1:43 AM 631.38 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_2721.xml 10/6/2004 2:12 AM 7.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_2855.xml 10/17/2004 6:39 AM 13.54 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_4604.xml 2/10/2005 9:42 AM 5.03 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_5706.xml 4/4/2005 7:26 AM 3.63 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_6176.xml 4/26/2005 9:39 PM 1.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7035.xml 6/22/2005 11:19 PM 46.46 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7037.xml 6/22/2005 11:19 PM 1.45 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7039.xml 6/22/2005 11:19 PM 28.70 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7041.xml 6/22/2005 11:19 PM 3.55 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7043.xml 6/22/2005 11:19 PM 15.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7045.xml 6/22/2005 11:19 PM 1.85 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7047.xml 6/22/2005 11:19 PM 1.55 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7049.xml 6/22/2005 11:19 PM 41.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7051.xml 6/22/2005 11:19 PM 2.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7053.xml 6/22/2005 11:19 PM 423.94 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7055.xml 6/22/2005 11:19 PM 202.01 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7057.xml 6/22/2005 11:19 PM 65.83 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7059.xml 6/22/2005 11:19 PM 4.67 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7061.xml 6/22/2005 11:19 PM 177.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7063.xml 6/22/2005 11:19 PM 55.20 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7065.xml 6/24/2005 6:26 AM 46.46 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7067.xml 6/24/2005 6:26 AM 1.45 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7069.xml 6/24/2005 6:26 AM 28.70 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7070.xml 6/24/2005 6:26 AM 4.71 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7071.xml 6/24/2005 6:26 AM 3.55 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7073.xml 6/24/2005 6:26 AM 15.36 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7075.xml 6/24/2005 6:26 AM 1.85 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7076.xml 6/24/2005 6:26 AM 1.99 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7077.xml 6/24/2005 6:26 AM 1.55 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7079.xml 6/24/2005 6:26 AM 41.73 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7081.xml 6/24/2005 6:26 AM 2.00 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7083.xml 6/24/2005 6:26 AM 423.94 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7084.xml 6/24/2005 6:26 AM 8.91 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7085.xml 6/24/2005 6:26 AM 206.44 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7086.xml 6/24/2005 6:26 AM 5.13 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7087.xml 6/24/2005 6:26 AM 65.83 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7089.xml 6/24/2005 6:26 AM 4.67 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7091.xml 6/24/2005 6:26 AM 177.17 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7093.xml 6/24/2005 6:26 AM 48.24 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_7094.xml 6/24/2005 6:26 AM 7.68 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\EMF.sys 1/22/2004 3:01 PM 20.29 KB Hidden from Windows API.
C:\x___x 1/22/2004 6:51 PM 0 bytes Hidden from Windows API.
C:\x___x\ali.exe 1/22/2004 3:01 PM 18.50 KB Hidden from Windows API.
C:\x___x\cpy.exe 1/22/2004 3:01 PM 20.50 KB Hidden from Windows API.
C:\x___x\dirlist 5/10/2005 8:34 AM 243 bytes Hidden from Windows API.
C:\x___x\dirlist.bak 6/24/2005 1:44 AM 243 bytes Hidden from Windows API.
C:\x___x\install.exe 6/24/2005 5:50 AM 2.26 MB Hidden from Windows API.
C:\x___x\magic.exe 1/22/2004 3:01 PM 14.50 KB Hidden from Windows API.
C:\x___x\mf.chm 1/22/2004 3:01 PM 34.39 KB Hidden from Windows API.
C:\x___x\mf.txx 1/22/2004 3:01 PM 11.67 KB Hidden from Windows API.
C:\x___x\mfx 1/22/2004 3:01 PM 20.29 KB Hidden from Windows API.
C:\x___x\MFX.CFG 6/13/2005 3:11 AM 59 bytes Hidden from Windows API.
C:\x___x\mfx_cfg.org 1/22/2004 3:01 PM 59 bytes Hidden from Windows API.
C:\x___x\readme.txt 1/22/2004 3:01 PM 3.37 KB Hidden from Windows API.
C:\x___x\tb.exe 1/22/2004 3:01 PM 21.00 KB Hidden from Windows API.


Also, here's another hijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 01:38:19 PM, on 24/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\Integrator.exe
C:\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jason's IE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe" /startup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by9fd.bay9.ho...es/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118501254866
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Temp\Ewido security suite\ewidoctrl.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Jason\LOCALS~1\Temp\QW.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Can you please surf here:
http://www.thespykil...x.php?topic=5.0

Follow the instructions there to upload this folder:
C:\x___x
and this file:
C:\WINDOWS\system32\drivers\EMF.sys

I think that will turn out to be the evildoers.

Regards,
  • 0

#5
obryan20

obryan20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I have Encrypted Magic Folders (EMF) so I think that is why that folder x___x is hidden. But I'll do what you say nevertheless.
By the way, how do I obtain the folder. It is not visible.

Edited by obryan20, 28 June 2005 - 08:41 PM.

  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Never mind. I'm probably barking up the wrong tree then.

You didn't do anything to the System32 folder with that program?

Regards,
  • 0

#7
obryan20

obryan20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
No. If I did, I wouldn't be able to see the system32 folder until I started up the program. Now, as it stands, I can see the system32 folder whether or not I start EMF as long as I use Start/Run and type C:\WINDOWS\system32.

I don't know what else to do short of formatting and reinstalling. Besides, it HAS been almost 2 years since I last formatted. :tazz:
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
You said you tried to strip the attributes.

Did you use this method?

attrib -a -h -r -s c:\windows\system32

And did you check if the files and folders in the Windows folder are arranged alphabetically?
I find it strange that you can reach the folder from the run box.

Regards,
  • 0

#9
obryan20

obryan20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
When I tried using attrib I just used: attrib -h -r. Used the method you suggested and my system32 folder is now back. Thank you very much for your assistance.

P.S. Do you have any idea why this happened to the system32 folder. Also, what did the other flags of the attrib command do to show the folder. Thanks again.
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
My pleasure. :tazz:

There are a few worms that have this effect on the System32 folder.
It is their way of trying to hide things from the infected user.

The possible attributes

R Read-only file attribute.
A Archive file attribute.
S System file attribute.
H Hidden file attribute.

Regards,
  • 0

#11
obryan20

obryan20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
;) Again, thanks a lot. :tazz:
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

Please do have a look at my site about removing and preventing spyware.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP