Not able to view the hidden files and system helps-reg?

[roonie]

Just a day back i inserted a pen drive the next second mozila closed and gave me error saying "I dont hate mozilla use IE instead" but i ended the process which was using tat"svchost.exe"...From tat day onwards am not able to view the hidden files and system protected files..If i click on show hidden files and press ok it resets back to its original hide hidden files..?..

[joey_182]

ya its trojan..
use ur anti virus to remove it... u can fix ur registry after removing virus by following VG's thread....
this is must read thread...>>>http://thinkdigit.com/forum/showthread.php?t=61413



Note : always update ur anti virus and never forget to scan pendrive before using it(highly recommended)

[roonie]

Quote:

Originally Posted by joey_182

ya its trojan..
use ur anti virus to remove it... u can fix ur registry after removing virus by following VG's thread....
this is must read thread...>>>http://thinkdigit.com/forum/showthread.php?t=61413



Note : always update ur anti virus and never forget to scan pendrive before using it(highly recommended)

Yea thanks a lot got it back....But you told me a virus?...is it still residing in my comp?...I use avast it hasnt detected till now... And can you also tell me one thing...At startup everytime i recieve a message saying "rundll.exe was not found make sure you typed the path correctly"...I checked in msconfig der is no such startup item also...How do i remove tat error message and is tat file necessary??

[joey_182]

well..virus may be still there..if avast is not detecting even after updatng then u can use avira for free..simply the best..

and for rundll.exe error..some hidden process is running at start up(may be virus or some corrupt windows registry)..just scan with hijackthis and paste ur log in hijackthis.de.....then check the report....and for all cross mark enteries in report just note down its number....then check these enteries in hijackthis and fix them all....
if still u getting problem...then do full system scan with KIS or AVIRA...and remove virus..

ATTACHMENT: hijackthis software

[roonie]

Quote:

Originally Posted by joey_182

well..virus may be still there..if avast is not detecting even after updatng then u can use avira for free..simply the best..

and for rundll.exe error..some hidden process is running at start up(may be virus or some corrupt windows registry)..just scan with hijackthis and paste ur log in hijackthis.de.....then check the report....and for all cross mark enteries in report just note down its number....then check these enteries in hijackthis and fix them all....
if still u getting problem...then do full system scan with KIS or AVIRA...and remove virus..

ATTACHMENT: hijackthis software

Logfile of HijackThis v1.99.1
Scan saved at 7:00:28 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.windowsue.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Windows uE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [User Themes] C:\WINDOWS\system32\rundll.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.windowsue.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

This is the log file i got...What to do now??

[blueshift]

^ From your log file, it seems your Registry Editor is disabled.

See if this works.

If you can access Commmand Window, then execute this:

Quote:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

or download this free mini tool: Remove Restrictions Tool

Open notepad and copy paste the following:

Quote:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\NOHIDDE N]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVe rsion\\Explorer\\Advanced"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVe rsion\\Explorer\\Advanced"
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\SuperHidden]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVe rsion\\Explorer\\Advanced"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000

Save this file as somename.reg (i.e. with extension REG). Then double click to add the keys.

Check if it works.

[marshalll]

Open regedit and goto:


Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\Advanced\Folder\HiddenUnder this key, you’ll see 2 more keys “NOHIDDEN” and “SHOWALL“. Make sure that the values of “CheckedValue” and “DefaultValue” in right-side pane are “2” and “2” for “NOHIDDEN” and “1” and “2” for “SHOWALL” respectively. If its not so, then change them and you’ll be able to enable/disable these options in “Folder Options”.

You can also alter Hide/unhide settings using registry as following:



Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\AdvancedIn right-side pane, change value of "Hidden" to:

1 - To show hidden files
2 - To not show hidden files

[roonie]

Ya am using tat RRT tool to re-enable everytime coz it switches back to disabled everytime the com starts again...!..May be stil virus residing the avast dint detect any stil..!..I just want to know wat is the rundll.exe error everytime i get during startup tat it is missing??...I changed those key to 1 and 2 perfectly now the hidden files r working properly...only i want to know about the rundll error ..thx

[joey_182]

ok yes ur log shows that regeditor is disabled..u have solutions for that..in above posts..
and it also show that rundll.exe file is connected with some process of ur theme..
and this file is missing...

there is a easy way to restore the rundll.exe file
go to start RUN box>>type sfc /scannow

it may ask u for windows cd..

after restoring if it again gives u same popup of missing file then there's some malware or trojan which is corrupting rundll.exe...tell me if first one worked for u..

NOTE: rundll.exe runs in background..u may or may not be able to see in taskmanager process

[roonie]

No it dint work...The cmd prompt opened after i typed and pressed enter in run and immediatly quit automatically...it just came and went off..??

[joey_182]

u may not be typing correctly..in RUN u have to type "sfc /scannow" without quotes..and there's space after sfc...if even its not working u have to do scan ur pc with some gud anti vir...

[roonie]

i tried now too...tat black screen of cmd prompt flashed a second and went off...Anyway i will try scanning wit avast again and c...thanks

[blueshift]

^ ya thats because of virus...may be a Brontok variant. See in Google.
Remove that Bonjour folder and related processes.
Can you see hidden system files now? If yes then, check if you have 2 folders named system32 in Windows dir.

[roonie]

Am not able to delete the bonjour folder it says "Access is denied"...So i tried to log in safe mode and delete...It dint enter into the safe mode also...After loading safe mode i get a mouse pointer everything else blank before the user logon in safe mode..I know the safe mode was working before a 2 week ago..Something screwed really need help..grr

And also i tried brontok variant tool to remove wat you told ...I used Micrworld antivirus and antispyware removal kit it detected lots of adwares/spwares but was not able to remove since i need to buy...IS der any other brontok variant tool ?..i searched in google dint get anything proper...Is brontok removal tool and adware/spyware remover are same or something different coz if it is adware/spyware remover i wil use some other tool...Any suggestions plz??

[joey_182]

Brontok Washer(Most Effective against Brontok Virus)

its free removal kit..
give it a try..

otherwise Kaspersky Brontok Removal Tool one more from KIS...

[roonie]

I downloaded the brontok remover but at the end of completion of the download of the file avast detected as a virus and prevented it from saving it in com...and i tried kasperesky it gave me nothing to clean

[joey_182]

ok.this tool shd help u..SDfix...

If the Command Prompt window flashes on then off again on XP then follow these steps..

Click on the Start menu, then Run, and then copy and paste the following line into the Run field:

%systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe

Then click OK, then type Y and press Enter when prompted, Reboot and start SDFix again

DOWNLOAD
SDFix

NOTE: you must be logged in as an Administrator and in safe mode in order for SDFix to work properly.

[blueshift]

Use [url=http://ccollomb.free.fr/unlocker/]Unlocker[url] to delete any file or folder that has been locked by the processess.

Can you run Registry Editor and MSConfig now?

[MetalheadGautham]

Quote:

Originally Posted by roonie

Just a day back i inserted a pen drive the next second mozila closed and gave me error saying "I dont hate mozilla use IE instead" but i ended the process which was using tat"svchost.exe"...From tat day onwards am not able to view the hidden files and system protected files..If i click on show hidden files and press ok it resets back to its original hide hidden files..?..

which operating system do you run ?
the virus looks clearly like a dedicated Microsoft virus
anyway, if you are using Microsoft's older OS, Windows XP, then do the following steps:

1. Turn PC on
2. Bash F8 key continuously the moment Windows XP is about to load
3. Select Boot Windows in Safemode With networking
4. Log in as "Asministrator". Its a default account.
5. update AVs, do a full system scan
6. check your registry for any errors
7. see if the problem can now be fixed by selecting show hidden files in Folder Options menu
8. There is a 90% chance that the problem will be solved.




PS: I remember a reverse virus, which did the following:

1. Disabled loading part of IE into memory on startup
2. Said similar message on opening IE
3. A variation also speeded up firefox startup time by adding a FF quicklauncher to startup

I remember it was a set of two programs, the first doing #1 and #2, being a virus, and the second was the FF Quicklauncher.